Pseudonym credential configuration method and apparatus

ABSTRACT

A pseudonym credential configuration method and apparatus are provided. The method includes: receiving an identifier of a terminal device and information about N to-be-requested pseudonym credentials from the terminal device, sending N second request messages to a pseudonym credential generation server, and storing a tag of each second request message in association with the identifier of the terminal device in the registration server, so that the registration server can obtain, based on the tag, the identifier that is of the terminal device and that is associated with the tag; and generating N pseudonym credentials. The pseudonym credential generated in this application may enable a behavior investigation server to learn of a real identity of the terminal device.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of International Application No.PCT/SG2018/050305, filed on Jun. 22, 2018, the disclosure of which ishereby incorporated by reference in its entirety.

TECHNICAL FIELD

Embodiments of this application relate to Internet of Vehiclestechnologies, and in particular, to a pseudonym credential configurationmethod and apparatus.

BACKGROUND

The Internet of Vehicles means that information may be exchanged betweenvehicles, between a vehicle and a pedestrian, or between a vehicle and aroadside device by using a network communications technology. TheInternet of Vehicles usually implements interaction by broadcasting amessage on a specified radio channel.

In the Internet of Vehicles, in an information transmission method, whenan Internet of Vehicles (Vehicle to Everything, V2X) device sends amessage to another V2X device, to ensure integrity and reliability oftransmitted data, the V2X device at a transmit end adds, to the sentmessage, the transmitted data, a signature of the transmitted data usinga private key, and a certificate issued by an enrollment certificateauthority (ECA for short) to the V2X device at the transmit end. Theprivate key herein is a private key corresponding to a public key in thecertificate. The V2X device at a receive end verifies whether thereceived certificate is issued by the ECA, and verifies the receivedsignature by using the public key in the certificate. This method may bereferred to as a certificate-based information transmission method. Inanother information transmission method, when a V2X device sends amessage to another V2X device, to ensure integrity and reliability oftransmitted data, the V2X device at a transmit end adds, to the sentmessage, a signature signed on the transmitted data by using a privatekey. The private key herein is a private key corresponding to a realidentifier of the V2X device at the transmit end, and the realidentifier of the V2X device is a public key. The V2X device at areceive end verifies the received signature by using the public key-realidentifier. This method may be referred to as an identity-basedinformation transmission method. The foregoing two methods can help aV2X information system: (1) determine that the message received by theV2X device at the receive end is from a legitimate sending device; and(2) ensure that the message is not modified during transmission. Thisensures security of V2X communication. However, if the V2X device alwaysuses the same certificate or identity, the V2X device is easily trackedby a hacker, resulting in a risk of privacy infringement.

To avoid the foregoing case, a pseudonym certificate (PseudoCertificates) or a pseudonym identity is usually used for privacyprotection. A pseudonym certificate is usually issued by a pseudonymcertificate authority (Pseudo Certificate Authority, PCA for short).Usually, a plurality of pseudonym certificates are issued to one V2Xdevice, and the pseudonym certificates are used for communicationbetween V2X devices. A V2X device has a plurality of pseudonymcertificates, and a pseudonym certificate is replaced at a specifiedinterval. This can effectively prevent tracking and protect privacysecurity. Similarly, a pseudonym identity is usually issued by a keygeneration center (KGC for short) or a private key generator (PKG forshort). Usually, a plurality of pseudonym identities are usually issuedto one V2X device, and the pseudonym identities are used forcommunication between V2X devices. A V2X device has a plurality ofpseudonym identities, and a pseudonym identity is replaced at aspecified interval. This can also effectively prevent tracking andprotect privacy security.

However, if a V2X device has an improper behavior, a real identity ofthe V2X device cannot be identified by using the foregoing method.

SUMMARY

This application provides a pseudonym credential configuration methodand apparatus, to quickly identify a real identity of a terminal devicewhen the terminal device has an improper behavior during communication.

According to a first aspect, an embodiment of this application providesa pseudonym credential configuration method, applied to a pseudonymcredential configuration system. The pseudonym credential configurationsystem includes a plurality of terminal devices, a registration server,and a pseudonym credential generation server.

The registration server receives a first request message from the firstterminal device. The first request message includes an identifier of thefirst terminal device and information about N to-be-requested pseudonymcredentials. The first terminal device is any one of the plurality ofterminal devices, and N is a positive integer.

The registration server sends N second request messages to the pseudonymcredential generation server. The second request message includes afirst tag of the corresponding second request message and informationabout one to-be-requested pseudonym credential.

The registration server stores a first tag of each second requestmessage in association with the identifier of the first terminal devicein the registration server, so that the registration server can obtain,based on the first tag, the identifier that is of the first terminaldevice and that is associated with the first tag.

The pseudonym credential generation server generates N pseudonymcredentials. Each pseudonym credential includes the first tag of thecorresponding second request message and at least a part of theinformation that is about the to-be-requested pseudonym credential andthat is included in the corresponding second request message.

The pseudonym credential generation server sends the N pseudonymcredentials to the registration server.

The registration server sends the N pseudonym credentials to the firstterminal device.

In this solution, the generated pseudonym credential includes the tag ofthe second request message, and the tag of the second request messageand a real identifier of the terminal device are stored in associationwith each other in the registration server. In this way, when theterminal device has an improper behavior, the registration server canobtain the real identifier of the terminal device based on the tag inthe pseudonym credential, and can quickly determine a real identity ofthe terminal device based on the pseudonym credential used by theterminal device during communication, thereby ensuring security ofcommunication between terminal devices.

In addition, the first request message includes the identifier of theterminal device, and the second request message does not include theidentifier of the terminal device, so that the pseudonym credentialgeneration server does not learn of a terminal device to which agenerated pseudonym certificate belongs, but the registration serverlearns of the terminal device to which the pseudonym certificatebelongs, the pseudonym credential generation server sends the generatedpseudonym credential to the terminal device by using the pseudonymcredential generation server, thereby improving confidentiality of thegenerated pseudonym credential.

In a possible design, before the registration server sends the N secondrequest messages to the pseudonym credential generation server, themethod further includes:

The registration server determines a type of the first request message.The type is a pseudonym certificate request message or a pseudonymidentity request message.

If the type is a pseudonym certificate request message, that theregistration server sends N second request messages to the pseudonymcredential generation server includes: The registration server sends theN second request messages to a pseudonym certificate generation server.

If the type is a pseudonym identity request message, that theregistration server sends N second request messages to a pseudonymcredential generation server includes: The registration server sends theN second request messages to a pseudonym identity generation server.

In this solution, the registration server may determine whether the typeof the first request message is a pseudonym certificate request messageor a pseudonym identity request message, and both the pseudonymcertificate generation server and the pseudonym identity generationserver are disposed and are communicatively connected to theregistration server. In this way, the pseudonym credential configurationsystem can generate a pseudonym certificate for the terminal device, andcan also generate a pseudonym identity for the terminal device.

In a possible design, in order to quickly revoke the pseudonymcredential of the terminal device having the improper behavior, thepseudonym credential configuration system is further provided with afirst linkage value server and a second linkage value server. The methodfurther includes:

The registration server sends a third request message to the firstlinkage value server, and sends a fourth request message to the secondlinkage value server. The third request message includes indicationinformation instructing the first linkage value server to generate Nfirst pre-linkage values. The fourth request message includes indicationinformation instructing the second linkage value server to generate Nsecond pre-linkage values.

The first linkage value server generates N first pre-linkage values, andsends the N first pre-linkage values to the registration server.

The second linkage value server generates N second pre-linkage values,and sends the N second pre-linkage values to the registration server.

In this case, each second request message further includes one firstpre-linkage value and one second pre-linkage value. Each pseudonymcredential further includes one linkage value. The linkage value isobtained by the pseudonym credential generation server based on thefirst pre-linkage value and the second pre-linkage value included in thecorresponding second request message.

Further, the third request message further includes a first hash value.The first hash value is a hash value corresponding to an identifier ofthe first terminal and a first random number. The fourth request messagefurther includes a second hash value. The second hash value is a hashvalue corresponding to the identifier of the first terminal and a secondrandom number. The method further includes:

The registration server stores both the first hash value and the secondhash value in association with the identifier of the first terminal, sothat the registration server can obtain the first hash value and thesecond hash value based on the identifier of the first terminal.

Optionally, that the first linkage value server generates N firstpre-linkage values includes: The first linkage value server generates Nfirst seed values, and generates N first pre-linkage values based on theN first seed values. The N first seed values include one first nativeseed value.

That the second linkage value server generates N second pre-linkagevalues includes: The second linkage value server generates N secondpre-linkage values based on the fourth request message. The N secondseed values include one second native seed value.

The method further includes:

The first linkage value server stores a first target value inassociation with the first hash value, so that the first linkage valueserver can obtain the first target value based on the first hash value.The first target value is one of a first native seed value, N first seedvalues, and N first pre-linkage values.

The second linkage value server stores a second target value inassociation with the second hash value, so that the second linkage valueserver can obtain the second target value based on the second hashvalue. The second target value is one of a second native seed value, Nsecond seed values, and N second pre-linkage values.

In this solution, the generated pseudonym credential not only includesthe tag of the second request message, but also includes the linkagevalue. Because the registration server stores the first hash value ofthe identifier of the terminal device and the first random number inassociation with the identifier of the terminal device, and stores thesecond hash value of the identifier of the terminal device and thesecond random number in association with the identifier ID1 of theterminal device, the registration server can obtain the first hash valueand the second hash value based on the identifier ID1 of the terminaldevice. In addition, the first hash value and the second hash value arestored in linkage with a native seed value or a seed value or apre-linkage value related to a linkage value in the generated pseudonymcertificate, so that linkage values in all pseudonym certificates of theterminal device can be obtained, and all the pseudonym certificates ofthe terminal device can be quickly revoked based on the obtained linkagevalues.

In this solution, two linkage value servers are set, and the linkagevalue can be obtained only based on the first pre-linkage valuegenerated by the first linkage value server and the second pre-linkagevalue generated by the second linkage value server, so that it can beensured that the linkage value written into the pseudonym certificate islearned of by only the pseudonym certificate generation server, therebyfurther ensuring security of the pseudonym certificate.

In a possible design, the pseudonym credential configuration systemfurther includes a behavior investigation server. The method furtherincludes:

The behavior investigation server receives a report message from asecond terminal device. The report message includes a first pseudonymcredential of a third terminal device. Both the second terminal deviceand the third terminal device are any one of the plurality of terminaldevices.

The behavior investigation server sends the first pseudonym credentialto the pseudonym credential generation server.

The pseudonym credential generation server obtains a second tag includedin the first pseudonym credential, and sends the second tag to thebehavior investigation server.

The behavior investigation server sends the second tag to theregistration server.

The registration server obtains an identifier that is of the thirdterminal device and that is associated with the second tag, and sendsthe identifier of the third terminal device to the behaviorinvestigation server.

In this solution, the behavior investigation server may be disposed tomonitor a behavior of a terminal device, and interact with theregistration server and the pseudonym credential server, so that a realidentity of a terminal device having an improper behavior can be quicklyidentified.

In a possible design, the registration server obtains a third hash valueand a fourth hash value that are associated with the identifier of thethird terminal device, and sends the third hash value and the fourthhash value to the behavior investigation server. The third hash value isa hash value corresponding to the identifier of the third terminal and athird random number. The fourth hash value is a hash value correspondingto the identifier of the third terminal and a fourth random number.

The behavior investigation server sends the third hash value to thefirst linkage value server, and sends the fourth hash value to thesecond linkage value server.

The first linkage value server obtains a third target value setassociated with the third hash value, where the third target valueincludes one of a third native seed value, N third seed values, and Nthird pre-linkage values; and sends the third target value set to thebehavior investigation server.

The second linkage value server obtains a fourth target value setassociated with the fourth hash value, where the fourth target value setincludes one of a fourth native seed value, N fourth seed values, and Nfourth pre-linkage values, and sends the fourth target value set to thebehavior investigation server.

The behavior investigation server generates N linkage values based onthe third target value set and the fourth target value set.

For each linkage value, the behavior investigation server revokes apseudonym credential that includes the linkage value.

In this solution, the behavior investigation server may be disposed tomonitor a behavior of a terminal device, and interact with theregistration server and the pseudonym credential server, so that apseudonym credential of a terminal device having an improper behaviorcan be quickly revoked.

According to a second aspect, an embodiment of this application providesa pseudonym credential configuration method, including:

A registration server receives a first request message from a terminaldevice. The first request message includes an identifier of the terminaldevice and information about N to-be-requested pseudonym credentials,and N is a positive integer.

The registration server sends N second request messages to a pseudonymcredential generation server. The second request message is used toinstruct the pseudonym credential generation server to generate apseudonym credential. The pseudonym credential includes a tag of thecorresponding second request message and at least a part of informationabout one to-be-requested pseudonym credential included in thecorresponding second request message.

The registration server stores a tag of each second request message inassociation with the identifier of the terminal device in theregistration server, so that the registration server can obtain, basedon the tag, the identifier that is of the first terminal device and thatis associated with the tag.

The registration server receives N pseudonym credentials from thepseudonym credential generation server, and sends the N pseudonymcredentials to the terminal device.

In a possible design, before the registration server sends the N secondrequest messages to the pseudonym credential generation server, themethod further includes:

The registration server determines a type of the first request message.The type is a pseudonym certificate request message or a pseudonymidentity request message.

If the type is a pseudonym certificate request message, that theregistration server sends N second request messages to a pseudonymcredential generation server includes: The registration server sends theN second request messages to a pseudonym certificate generation server.

If the type is a pseudonym identity request message, that theregistration server sends N second request messages to a pseudonymcredential generation server includes: The registration server sends theN second request messages to a pseudonym identity generation server.

In a possible design, the first request message further includes firstindication information indicating a type of the first request message.

That the registration server determines a type of the first requestmessage includes:

The registration server determines the type of the first request messagebased on the first indication information.

In a possible design, before the registration server sends the N secondrequest messages to the pseudonym credential generation server, themethod further includes:

The registration server sends a third request message to the firstlinkage value server, and sends a fourth request message to the secondlinkage value server. The third request message includes indicationinformation instructing the first linkage value server to generate Nfirst pre-linkage values. The fourth request message includes indicationinformation instructing the second linkage value server to generate Nsecond pre-linkage values.

The registration server receives N first pre-linkage values from thefirst linkage value server, and receives N second pre-linkage valuesfrom the second linkage value server.

In this case, each pseudonym credential further includes a linkagevalue, and the linkage value is obtained by the pseudonym credentialgeneration server based on a first pre-linkage value and a secondpre-linkage value included in a corresponding second request message.

In a possible design, the third request message further includes a firsthash value. The first hash value is a hash value corresponding to theidentifier of the terminal device and a first random number. The fourthrequest message further includes a second hash value. The second hashvalue is a hash value corresponding to the identifier of the terminaldevice and a second random number. The method further includes:

The registration server stores the identifier of the terminal device inassociation with the first hash value and the second hash value, so thatthe registration server can obtain the first hash value and the secondhash value based on the identifier of the terminal device.

In a possible design, the first pre-linkage value is a linkage valueencrypted by using a public key of the pseudonym credential generationserver, and the second pre-linkage value is a linkage value encrypted byusing the public key of the pseudonym credential generation server.

In this solution, the first pre-linkage value and the second pre-linkagevalue are encrypted, so that confidentiality of a finally generatedlinkage value is improved.

In a possible design, the information about the to-be-requestedpseudonym credential is information obtained after actual information ofthe to-be-requested pseudonym credential is encrypted by using a publickey of the pseudonym credential generation server.

In this case, the at least a part of the information about theto-be-requested pseudonym credential that is included in the pseudonymcredential is at least a part of the actual information of theto-be-requested pseudonym credential.

If the pseudonym credential is a pseudonym certificate, the at least apart of the actual information of the to-be-requested pseudonymcredential includes a pseudonym certificate public key.

If the pseudonym credential is a pseudonym identity, the at least a partof the actual information of the to-be-requested pseudonym credentialincludes a pseudonym identifier.

In this solution, because the information about the to-be-requestedpseudonym credential is information obtained by encrypting the actualinformation of the to-be-requested pseudonym credential by using thepublic key of the pseudonym credential generation server, theregistration server cannot learn of content of the pseudonym credential,and can learn of only a terminal device to which the pseudonymcredential belongs, thereby ensuring confidentiality of the generatedpseudonym credential.

In a possible design, if the pseudonym credential is a pseudonymidentity, the method further includes:

The registration server receives, from the pseudonym credentialgeneration server, N pseudonym private keys corresponding to N pseudonymidentifiers in N pseudonym identities.

In a possible design, the method further includes:

The registration server receives a target tag from a behaviorinvestigation server.

The registration server determines a target identifier associated withthe target tag. The target identifier is used to indicate a targetterminal device.

In a possible design, after the registration server receives the targettag from the behavior investigation server, the method further includes:

sending a first target hash value and a second target hash value thatare associated with the target identifier to the behavior investigationserver. The first target hash value is a hash value corresponding to thetarget identifier and a third random number. The second target hashvalue is a hash value corresponding to the target identifier and afourth random number.

According to a third aspect, an embodiment of this application providesa pseudonym credential configuration method, including:

A pseudonym credential generation server receives a request message froma registration server. The request message includes a tag of the requestmessage and information about a to-be-requested pseudonym credential ofa terminal device. The tag of the request message and an identifier ofthe terminal device are stored in association with each other in theregistration server, so that the registration server can obtain, basedon the tag, the identifier that is of the terminal device and that isassociated with the tag.

The pseudonym credential generation server generates a pseudonymcredential. The pseudonym credential includes the tag and at least apart of the information about the to-be-requested pseudonym credential.

The pseudonym credential generation server sends the pseudonymcredential to the registration server.

In a possible design, the information about the to-be-requestedpseudonym credential is information obtained after actual information ofthe to-be-requested pseudonym credential is encrypted by using a publickey of the pseudonym credential generation server.

That the pseudonym credential generation server generates a pseudonymcredential includes:

The pseudonym credential generation server decrypts the informationabout the to-be-requested pseudonym credential by using a private key ofthe pseudonym credential generation server, to obtain the actualinformation of the to-be-requested pseudonym credential.

The pseudonym credential generation server generates the pseudonymcredential based on the tag and at least a part of the actualinformation of the to-be-requested pseudonym credential.

In a possible design, the request message further includes a firstpre-linkage value and a second pre-linkage value that are encrypted byusing a public key of the pseudonym credential generation server.

That the pseudonym credential generation server generates a pseudonymcredential further includes:

The pseudonym credential generation server decrypts, by using a privatekey of the pseudonym credential generation server, the first pre-linkagevalue and the second pre-linkage value that are encrypted by using thepublic key of the pseudonym credential generation server, to obtain thefirst pre-linkage value and the second pre-linkage value.

The pseudonym credential generation server performs an exclusive ORoperation on the first pre-linkage value and the second pre-linkagevalue to obtain a linkage value.

In this case, that the pseudonym credential generation server generatesthe pseudonym credential based on the tag and at least a part of theactual information of the to-be-requested pseudonym credential includes:

The pseudonym credential generation server generates the pseudonymcredential based on the tag, the at least a part of the actualinformation of the to-be-requested pseudonym credential, and the linkagevalue.

In a possible design, that the pseudonym credential generation servergenerates the pseudonym credential based on the tag, the at least a partof the actual information of the to-be-requested pseudonym credential,and the linkage value includes:

The pseudonym credential generation server encrypts the tag by using asymmetric key of the pseudonym credential generation server, to obtainan encrypted tag.

The pseudonym credential generation server generates the pseudonymcredential based on the encrypted tag, the at least a part of the actualinformation of the to-be-requested pseudonym credential, and the linkagevalue.

In this solution, the tag is encrypted by using the symmetric key of thepseudonym credential generation server to obtain the encrypted tag, sothat the terminal device cannot learn of the tag, thereby preventing theterminal device from tampering.

In a possible design, if the pseudonym credential is a pseudonymcertificate, the actual information of the to-be-requested pseudonymcredential includes a pseudonym certificate public key, and thepseudonym credential generation server is a pseudonym certificategeneration server.

That the pseudonym credential generation server generates the pseudonymcredential based on the encrypted tag, the at least a part of the actualinformation of the pseudonym credential, and the linkage value includes:

The pseudonym certificate generation server generates the pseudonymcertificate based on the encrypted tag, the pseudonym certificate publickey, and the linkage value.

In a possible design, if the pseudonym credential is a pseudonymidentity, the actual information of the to-be-requested pseudonymcredential includes a pseudonym identifier, and the pseudonym credentialgeneration server is a pseudonym identity generation server.

That the pseudonym credential generation server generates the pseudonymcredential based on the encrypted tag, the at least a part of the actualinformation of the to-be-requested pseudonym credential, and the linkagevalue includes:

The pseudonym identity generation server generates the pseudonymidentity based on the encrypted tag, the pseudonym identifier, and thelinkage value.

In a possible design, the actual information of the to-be-requestedpseudonym credential further includes a temporary public key. The methodfurther includes:

The pseudonym certificate generation server encrypts the pseudonymcertificate by using the temporary public key, to obtain an encryptedpseudonym certificate.

That the pseudonym credential generation server sends the pseudonymcertificate to the registration server includes:

The pseudonym certificate generation server sends the encryptedpseudonym certificate to the registration server.

In this solution, the pseudonym certificate is encrypted by using thetemporary public key to obtain the encrypted pseudonym certificate, sothat the registration server cannot learn of content of the pseudonymcertificate, and can learn of only a terminal device to which thepseudonym certificate belongs, thereby ensuring confidentiality of thegenerated pseudonym certificate.

In a possible design, the actual information of the to-be-requestedpseudonym credential further includes a temporary public key. The methodfurther includes:

The pseudonym identity generation server encrypts the pseudonym identityby using the temporary public key, to obtain an encrypted pseudonymidentity.

That the pseudonym credential generation server sends the pseudonymidentity to the registration server includes:

The pseudonym identity generation server sends the encrypted pseudonymidentity to the registration server.

In this solution, the pseudonym identity is encrypted by using thetemporary public key to obtain the encrypted pseudonym identity, so thatthe registration server cannot learn of content of the pseudonymidentity, and can learn of only a terminal device to which the pseudonymidentity belongs, thereby ensuring confidentiality of the generatedpseudonym identity.

In a possible design, the method further includes:

The pseudonym identity generation server generates a pseudonym privatekey corresponding to the pseudonym identifier.

The pseudonym identity generation server encrypts the pseudonym privatekey by using the temporary public key, to obtain an encrypted pseudonymprivate key.

The pseudonym identity generation server sends the encrypted pseudonymprivate key to the registration server.

In a possible design, the pseudonym credential generation serverreceives a target pseudonym credential sent by a behavior investigationserver.

The pseudonym credential generation server obtains a target tag in thetarget pseudonym credential.

The pseudonym credential generation server sends the target tag to thebehavior investigation server.

According to a fourth aspect, an embodiment of this application providesa pseudonym credential configuration method, including:

A behavior investigation server receives a report message from a firstterminal device. The report message includes a pseudonym credential of asecond terminal device.

The behavior investigation server sends the pseudonym credential to apseudonym credential generation server, so that the pseudonym credentialgeneration server obtains a target tag included in the pseudonymcredential. The target tag is a tag corresponding to a request messagesent by a registration server to the pseudonym credential generationserver. The request message instructs the pseudonym credentialgeneration server to generate the pseudonym credential.

The behavior investigation server receives the target tag from thepseudonym credential generation server.

The behavior investigation server sends the target tag to theregistration server, so that the registration server obtains anidentifier that is of the second terminal device and that is associatedwith the target tag.

In a possible design, the method further includes:

receiving, from the registration server, a first target hash valuecorresponding to the identifier of the second terminal device and afirst random number, and a second target hash value corresponding to theidentifier of the second terminal device and a second random number.

The behavior investigation server sends the first target hash value to afirst linkage value server, and sends the second target hash value to asecond linkage value server.

The behavior investigation server receives a first target value setassociated with the first target hash value from the first linkage valueserver, and receives a second target value set associated with a targethash value from the second linkage value server. The first target valueset includes one of N first seed values, a first native seed value, andN first pre-linkage values. The second target value set includes one ofN second seed values, a second native seed value, and N secondpre-linkage values.

The behavior investigation server generates N linkage values based onthe first target value set and the second target value set.

For each linkage value, the behavior investigation server revokes apseudonym credential that includes the linkage value.

In a possible design, the first target value set includes a first nativeseed value, and the second target value set includes a second nativeseed value.

In this case, that the behavior investigation server generates N linkagevalues based on the first target value set and the second target valueset includes:

The behavior investigation server generates N−1 first seed values basedon the first native seed value, and generates N first pre-linkage valuesbased on the first native seed value and the N−1 first seed values.

The behavior investigation server generates N−1 second seed values basedon the second native seed value, and generates N second pre-linkagevalues based on the second native seed value and the N−1 second seedvalues.

For each of N groups of pre-linkage values, the behavior investigationserver performs an exclusive OR operation on a first pre-linkage valueand a second pre-linkage value that are included in the group to obtaina linkage value. Each group of pre-linkage values includes one firstpre-linkage value and one second pre-linkage value.

In a possible design, the first target value set includes N firstpre-linkage values, and the second target value set includes N secondpre-linkage values.

In this case, that the behavior investigation server generates N linkagevalues based on the first target value set and the second target valueset includes:

For each of N groups of pre-linkage values, the behavior investigationserver performs an exclusive OR operation on a first pre-linkage valueand a second pre-linkage value in the group to obtain a linkage value.

In a possible design, the first target value set includes N first seedvalues, and the second target value set includes N second seed values.

In this case, that the behavior investigation server generates N linkagevalues based on the first target value set and the second target valueset includes:

The behavior investigation server generates N first pre-linkage valuesbased on the N first seed values.

The behavior investigation server generates N second pre-linkage valuesbased on the N second seed values.

For each of N groups of pre-linkage values, the behavior investigationserver performs an exclusive OR operation on a first pre-linkage valueand a second pre-linkage value that are included in the group to obtaina linkage value. Each group of pre-linkage values includes one firstpre-linkage value and one second pre-linkage value.

According to a fifth aspect, an embodiment of this application providesa pseudonym credential configuration method, including:

A linkage value server receives a request message from the registrationserver. The request message includes indication information instructingthe linkage value server to generate N pre-linkage values.

The linkage value server generates N pre-linkage values.

The linkage value server sends a feedback message to the registrationserver. The feedback message includes the N pre-linkage values.

In a possible design, that the linkage value server generates Npre-linkage values includes:

The linkage value server generates N seed values. The N seed valuesinclude one native seed value.

The linkage value server generates the N pre-linkage values based on theN seed values.

In a possible design, the request message further includes a hash value,and the hash value is a hash value corresponding to an identifier of aterminal device that requests a pseudonym credential and a randomnumber. The method further includes:

The linkage value server stores a first target value set in associationwith the hash value, so that the linkage value server can obtain thefirst target value based on the hash value. The first target value setis one of the native seed value, the N pre-linkage values, and the Nseed values.

In a possible design, the i^(th) seed value is a hash value of an(i−1)^(th) seed value, i=2, 3, . . . , N, and the native seed value is afirst seed value.

In a possible design, the m^(th) pre-linkage value is a part of them^(th) seed value.

Alternatively, the m^(th) pre-linkage value is a hash value of them^(th) seed value.

m=1, 2, . . . , N.

In a possible design, the linkage value server receives a target hashvalue from a behavior investigation server. The target hash value is ahash value corresponding to a target identifier of a target terminaldevice and a target random number.

The linkage value server obtains a second target value set associatedwith the target hash value. The second target value set includes one ofN seed values, a native seed value, and N pre-linkage values.

The linkage value server sends the second target value set to thebehavior investigation server.

According to a sixth aspect, an embodiment of this application providesa pseudonym credential configuration system. The pseudonym credentialconfiguration system includes a plurality of terminal devices, aregistration server, and a pseudonym credential generation server.

The registration server is configured to receive a first request messagefrom the first terminal device. The first request message includes anidentifier of the first terminal device and information about Nto-be-requested pseudonym credentials. The first terminal device is anyone of the plurality of terminal devices, and N is a positive integer.

The registration server is further configured to send N second requestmessages to the pseudonym credential generation server. The secondrequest message includes a first tag of the corresponding second requestmessage and information about one to-be-requested pseudonym credential.

The registration server is configured to store a first tag of eachsecond request message in association with the identifier of the firstterminal device in the registration server, so that the registrationserver can obtain, based on the first tag, the identifier that is of thefirst terminal device and that is associated with the first tag.

The pseudonym credential generation server is configured to generate Npseudonym credentials. Each pseudonym credential includes the first tagof the corresponding second request message and at least a part of theinformation that is about the to-be-requested pseudonym credential andthat is included in the corresponding second request message.

The pseudonym credential generation server is further configured to sendthe N pseudonym credentials to the registration server.

The registration server is further configured to send the N pseudonymcredentials to the first terminal device.

In a possible design, the pseudonym credential configuration systemfurther includes a first linkage value server and a second linkage valueserver.

The registration server is further configured to send a third requestmessage to the first linkage value server, and send a fourth requestmessage to the second linkage value server. The third request messageincludes indication information instructing the first linkage valueserver to generate N first pre-linkage values. The fourth requestmessage includes indication information instructing the second linkagevalue server to generate N second pre-linkage values.

The first linkage value server is configured to generate N firstpre-linkage values, and send the N first pre-linkage values to theregistration server.

The second linkage value server is configured to generate N secondpre-linkage values, and send the N second pre-linkage values to theregistration server.

In this case, each second request message further includes one firstpre-linkage value and one second pre-linkage value. Each pseudonymcredential further includes one linkage value. The linkage value isobtained by the pseudonym credential generation server based on a firstpre-linkage value and a second pre-linkage value included in acorresponding second request message.

In a possible design, the registration server is further configured todetermine a type of the first request message before the registrationserver sends the N second request messages to the pseudonym credentialgeneration server. The type is a pseudonym certificate request messageor a pseudonym identity request message.

If the type is a pseudonym certificate request message, the registrationserver is specifically configured to send the N second request messagesto a pseudonym certificate generation server.

If the type is a pseudonym identity request message, the registrationserver is specifically configured to send the N second request messagesto a pseudonym identity generation server.

In a possible design, the third request message further includes a firsthash value. The first hash value is a hash value corresponding to anidentifier of the first terminal and a first random number. The fourthrequest message further includes a second hash value. The second hashvalue is a hash value corresponding to the identifier of the firstterminal and a second random number. The method further includes:

The registration server is further configured to store both the firsthash value and the second hash value in association with the identifierof the first terminal, so that the registration server can obtain thefirst hash value and the second hash value based on the identifier ofthe first terminal.

The first linkage value server is specifically configured to generate Nfirst seed values, and generate N first pre-linkage values based on theN first seed values. The N first seed values include one first nativeseed value.

The second linkage value server is specifically configured to generate Nsecond pre-linkage values based on the fourth request message. The Nsecond seed values include one second native seed value.

The first linkage value server is further configured to store the firsttarget value in association with the first hash value, so that the firstlinkage value server can obtain the first target value based on thefirst hash value. The first target value is one of a first native seedvalue, N first seed values, and N first pre-linkage values.

The second linkage value server is further configured to store thesecond target value in association with the second hash value, so thatthe second linkage value server can obtain the second target value basedon the second hash value. The second target value is one of a secondnative seed value, N second seed values, and N second pre-linkagevalues.

In a possible design, the pseudonym credential configuration systemfurther includes a behavior investigation server.

The behavior investigation server is configured to receive a reportmessage from a second terminal device. The report message includes afirst pseudonym credential of a third terminal device. Both the secondterminal device and the third terminal device are any one of theplurality of terminal devices.

The behavior investigation server is further configured to send thefirst pseudonym credential to the pseudonym credential generationserver.

The pseudonym credential generation server is further configured toobtain a second tag included in the first pseudonym credential, and sendthe second tag to the behavior investigation server.

The behavior investigation server is further configured to send thesecond tag to the registration server.

The registration server is further configured to obtain an identifierthat is of the third terminal device and that is associated with thesecond tag, and send the identifier of the third terminal device to thebehavior investigation server.

In a possible design, the registration server is further configured toobtain a third hash value and a fourth hash value that are associatedwith the identifier of the third terminal device, and send the thirdhash value and the fourth hash value to the behavior investigationserver. The third hash value is a hash value corresponding to theidentifier of the third terminal and a third random number. The fourthhash value is a hash value corresponding to the identifier of the thirdterminal and a fourth random number.

The behavior investigation server is further configured to send thethird hash value to the first linkage value server, and send the fourthhash value to the second linkage value server.

The first linkage value server is further configured to obtain a thirdtarget value set associated with the third hash value, where the thirdtarget value includes one of a third native seed value, N third seedvalues, and N third pre-linkage values; and send the third target valueset to the behavior investigation server.

The second linkage value server is further configured to obtain a fourthtarget value set associated with the fourth hash value, where the fourthtarget value set includes one of a fourth native seed value, N fourthseed values, and N fourth pre-linkage values; and send the fourth targetvalue set to the behavior investigation server.

The behavior investigation server is further configured to generate Nlinkage values based on the third target value set and the fourth targetvalue set.

For each linkage value, the behavior investigation server is furtherconfigured to revoke a pseudonym credential that includes the linkagevalue.

According to a seventh aspect, an embodiment of this applicationprovides a pseudonym credential configuration apparatus, including:

a receiving module, configured to receive a first request message from aterminal device, where the first request message includes an identifierof the terminal device and information about N to-be-requested pseudonymcredentials, and N is a positive integer;

a sending module, configured to send N second request messages to apseudonym credential generation server, where the second request messageis used to instruct the pseudonym credential generation server togenerate a pseudonym credential, and the pseudonym credential includes atag of the corresponding second request message and at least a part ofinformation about one to-be-requested pseudonym credential included inthe corresponding second request message; and

a storage module, configured to store a tag of each second requestmessage in association with the identifier of the terminal device in theregistration server, so that the registration server can obtain, basedon the tag, the identifier that is of the first terminal device and thatis associated with the tag.

The receiving module is further configured to receive N pseudonymcredentials from the pseudonym credential generation server, and sendthe N pseudonym credentials to the terminal device.

In a possible design, the pseudonym credential configuration apparatusfurther includes a determining module. The determining module isconfigured to determine a type of the first request message before thesending module sends the N second request messages to the pseudonymcredential generation server. The type is a pseudonym certificaterequest message or a pseudonym identity request message.

If the type is a pseudonym certificate request message, the sendingmodule sends the N second request messages to a pseudonym certificategeneration server.

If the type is a pseudonym identity request message, the sending modulesends the N second request messages to the pseudonym identity generationserver.

In a possible design, the sending module is further configured to:

before sending the N second request messages to the pseudonym credentialgeneration server, send a third request message to a first linkage valueserver, and send a fourth request message to a second linkage valueserver. The third request message includes indication informationinstructing the first linkage value server to generate N firstpre-linkage values. The fourth request message includes indicationinformation instructing the second linkage value server to generate Nsecond pre-linkage values.

The receiving module is further configured to receive the N firstpre-linkage values from the first linkage value server, and receive theN second pre-linkage values from the second linkage value server.

In this case, each pseudonym credential further includes a linkagevalue. The linkage value is obtained by the pseudonym credentialgeneration server based on a first pre-linkage value and a secondpre-linkage value included in a corresponding second request message.

In a possible design, the third request message further includes a firsthash value. The first hash value is a hash value corresponding to theidentifier of the terminal device and a first random number. The fourthrequest message further includes a second hash value. The second hashvalue is a hash value corresponding to the identifier of the terminaldevice and a second random number. The pseudonym credentialconfiguration apparatus further includes:

the storage module, configured to store the identifier of the terminaldevice in association with the first hash value and the second hashvalue, so that the registration server can obtain the first hash valueand the second hash value based on the identifier of the terminaldevice.

In a possible design, the pseudonym credential configuration apparatusfurther includes the determining module.

The receiving module is configured to receive a target tag from abehavior investigation server.

The determining module is configured to determine a target identifierassociated with the target tag. The target identifier is used toindicate a target terminal device.

The sending module is further configured to send a first target hashvalue and a second target hash value that are associated with the targetidentifier to the behavior investigation server. The first target hashvalue is a hash value corresponding to the target identifier and a thirdrandom number. The second target hash value is a hash valuecorresponding to the target identifier and a fourth random number.

According to an eighth aspect, an embodiment of this applicationprovides a computer readable storage medium. The computer readablestorage medium stores a computer program. When the computer program isexecuted by a processor, the method in any one of the second aspect orthe possible designs of the second aspect is performed.

According to a ninth aspect, an embodiment of this application providesa registration server, including a processor and a memory.

The memory is configured to store a program.

The processor is configured to execute the program stored in the memory.When the program is executed, the processor is configured to perform themethod in any one of the second aspect or the possible designs of thesecond aspect.

According to a tenth aspect, an embodiment of this application providesa computer readable storage medium. The computer readable storage mediumstores a computer program. When the computer program is executed by aprocessor, the method in any one of the third aspect or the possibledesigns of the third aspect is performed.

According to an eleventh aspect, an embodiment of this applicationprovides a pseudonym credential generation server, including a processorand a memory.

The memory is configured to store a program.

The processor is configured to execute the program stored in the memory.When the program is executed, the processor is configured to perform themethod in any one of the third aspect or the possible designs of thethird aspect.

According to a twelfth aspect, an embodiment of this applicationprovides a computer readable storage medium. The computer readablestorage medium stores a computer program. When the computer program isexecuted by a processor, the method in any one of the fourth aspect orthe possible designs of the fourth aspect is performed.

According to a thirteenth aspect, an embodiment of this applicationprovides a behavior investigation server, including a processor and amemory.

The memory is configured to store a program.

The processor is configured to execute the program stored in the memory.When the program is executed, the processor is configured to perform themethod in any one of the fourth aspect or the possible designs of thefourth aspect.

According to a fourteenth aspect, an embodiment of this applicationprovides a computer readable storage medium. The computer readablestorage medium stores a computer program. When the computer program isexecuted by a processor, the method in any one of the fifth aspect orthe possible designs of the fifth aspect is performed.

According to a fifteenth aspect, an embodiment of this applicationprovides a linkage value server, including a processor and a memory.

The memory is configured to store a program.

The processor is configured to execute the program stored in the memory.When the program is executed, the processor is configured to perform themethod in any one of the fifth aspect or the possible designs of thefifth aspect.

In this application, the generated pseudonym certificate includes a tagof the second request message and a linkage value. When the terminaldevice has an improper behavior, the real identifier of the terminaldevice can be quickly identified based on the tag of the second requestmessage. In addition, the registration server stores the first hashvalue of the identifier of the terminal device and the first randomnumber in association with the identifier of the terminal device, andstores the second hash value of the identifier of the terminal deviceand the second random number in association with the identifier of theterminal device. Therefore, the registration server can obtain the firsthash value and the second hash value based on the identifier of theterminal device. In addition, the first hash value and the second hashvalue are stored in linkage with the native seed value or the seed valueor the pre-linkage value related to the linkage value in the generatedpseudonym certificate, so that the linkage values in all the pseudonymcertificates of the terminal device can be obtained, and all thepseudonym certificates of the terminal device can be quickly revokedbased on the obtained linkage values.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a first diagram of a system architecture according to anembodiment of this application;

FIG. 2 is a second diagram of a system architecture according to anembodiment of this application;

FIG. 3 is a schematic diagram of an application scenario based on thesystem architecture shown in FIG. 1 ;

FIG. 4 is a schematic diagram of an application scenario based on thesystem architecture shown in FIG. 2 ;

FIG. 5 is a first signaling interaction diagram of a pseudonymcredential configuration method according to an embodiment of thisapplication;

FIG. 6A, FIG. 6B and FIG. 6C are a second signaling interaction diagramof a pseudonym credential configuration method according to anembodiment of this application;

FIG. 7 is a third signaling interaction diagram of a pseudonymcredential configuration method according to an embodiment of thisapplication;

FIG. 8A, FIG. 8B and FIG. 8C are a fourth signaling interaction diagramof a pseudonym credential configuration method according to anembodiment of this application;

FIG. 9A, FIG. 9B and FIG. 9C are a fifth signaling interaction diagramof a pseudonym credential configuration method according to anembodiment of this application;

FIG. 10 is a first schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication;

FIG. 11 is a second schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication;

FIG. 12 is a third schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication;

FIG. 13 is a fourth schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication;

FIG. 14 is a fifth schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication;

FIG. 15 is a sixth schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication; and

FIG. 16 is a seventh schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication.

FIG. 17 is a eighth schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication.

DESCRIPTION OF EMBODIMENTS

Related terms used in the embodiments of this application are firstexplained.

Asymmetric cryptography: Asymmetric cryptography is a cryptographicalgorithm. Such a cryptographic method requires a pair of keys: one is aprivate key and the other is a public key. The two keys aremathematically related. Information obtained by using an encryption keyin a pair of keys can be decrypted only by using a decryption key in thepair of keys. If one key in a pair of keys is known, the other keycannot be calculated. Therefore, if one key of a pair of keys isdisclosed, confidentiality of the other key is not affected.

Common public key encryption algorithms include an RSA(Rivest-Shamir-Adleman) algorithm, an ElGamal algorithm, a knapsackalgorithm, a Rabin algorithm (a special case of the RSA), and theelliptic curve cryptography (ECC for short). A most widely usedalgorithm is the RSA algorithm. The RSA algorithm is a well-known publickey encryption algorithm.

Key pair: A key par includes a private key and a public key, and belongsto an asymmetric cryptography technology. The private key is held by anowner of the key pair and cannot be disclosed. The public key isreleased by the owner of the key pair to others.

Text digest: A hash value obtained by usually using SHA1, SHA2, andother algorithms after hash calculation is performed on text is a textdigest.

Signature: A ciphertext obtained by a data transmit end by encrypting adigest of a transmission text by using a private key is referred to as asignature of the transmission text.

Signature verification: A data receive end receives the transmissiontext, but needs to check whether the transmission text is content sentby the data transmit end and whether the transmission text is tamperedwith during transmission. Therefore, the data receive end decrypts thesignature of the transmission text by using a held public key, to obtainthe digest of the transmission text; then calculates the digest of thereceived transmission text by using a hash algorithm that is the same asthat used by the transmit end to obtain the digest; and compares thecalculated digest with the decrypted digest. If the two digests areidentical, it indicates that the transmission text is not tampered with.

ECA certificate: An ECA certificate is a certificate issued by anenrollment certificate authority (ECA for short), and may include aterminal device identifier (unique and real identifier), a public key,an ECA certificate expiration time, and an ECA certificate signature. Aprocess of obtaining the ECA certificate signature is as follows: A hashvalue corresponding to information in the certificate other than thesignature is obtained. The hash value is encrypted by using a privatekey of the ECA certificate, to obtain the signature.

Pseudonym credential: A pseudonym credential may be a pseudonymcertificate or a pseudonym identity.

A pseudonym certificate (pseudo certificates) may also be referred to asa pseudo certificate and is a certificate issued by a pseudonymcertificate authority (Pseudo Certificate Authority) instead of the ECA.A terminal device applies for a plurality of pseudonym certificates fromthe pseudonym certificate authority, and replaces a pseudonymcertificate at a specified interval. This can effectively prevent theterminal device from being easily tracked by a hacker due to use of asame certificate issued by the ECA during communication, therebypreventing privacy from being infringed. The pseudonym certificate mayinclude a public key, a certificate expiration time, and a certificatesignature. The public key in the pseudonym certificate is different fromthat in the ECA certificate.

For a pseudonym identity: Before a pseudonym identity is described, anidentity-based cryptography (IBC for short) is first described. The IBCincludes an identity-based signature (Identity Based Cryptography, IBSfor short) and identity-based encryption (IBE for short). Each terminaldevice has an own public-private key pair. A public key in thepublic-private key pair is a real identifier of the terminal device, forexample, may be a meaningful character string such as an email addressor a telephone number. A private key in the public-private key pair isgenerated by a private key generator (PKG for short) or a key generationcenter (KGC for short) based on the public key in the public-private keypair and a master private key of the key generation center.

A pseudo identity may also be referred to as a pseudonym identity, isalso generated by a PKG or a KGC, and is not a real identity of theterminal device. The pseudonym identity may include a pseudonymidentifier of the terminal device, and the pseudonym identifier isequivalent to the public key in the public-private key pair.

A function of the pseudonym identity in a communications system is thesame as a function of the pseudonym certificate in the communicationssystem. A difference lies in that the terminal device no longer carriesthe certificate in a sent message, but uses the pseudonym identity inthe sent message.

FIG. 1 is a first diagram of a system architecture according to anembodiment of this application. Referring to FIG. 1 , the systemarchitecture includes at least one terminal device 11, a registrationserver 12, a pseudonym identity generation server 13, a pseudonymcertificate generation server 14, and a behavior investigation server17.

The terminal device 11 may be a V2X device. The registration server 12may be a registration authority (RA for short) server. The pseudonymidentity generation server 13 is a KGC or PKG server. The pseudonymcertificate generation server 14 is a PCA server. The pseudonym identitygeneration server 13 and the pseudonym certificate generation server 14may be referred to as pseudonym credential generation servers.

FIG. 1 shows only an example of the system architecture designed in thisapplication. There may be a plurality of registration servers 12, aplurality of pseudonym identity generation servers 13, a plurality ofpseudonym certificate generation servers 14, and a plurality of behaviorinvestigation servers 17.

FIG. 2 is a second diagram of a system architecture according to anembodiment of this application. Referring to FIG. 1 , the systemarchitecture includes at least one terminal device 11, a registrationserver 12, a pseudonym identity generation server 13, a pseudonymcertificate generation server 14, a first linkage value server 15, asecond linkage value server 16, and a behavior investigation server 17.

The terminal device 11 may be a V2X device. The registration server 12may be a registration authority (RA for short) server. The pseudonymidentity generation server 13 is a KGC or PKG server. The pseudonymcertificate generation server 14 is a PCA server. The first linkagevalue server 15 a first linkage value authority (LA for short) server.The second linkage value server 16 is a second LA server.

The pseudonym identity generation server 13 and the pseudonymcertificate generation server 14 may be referred to as pseudonymcredential generation servers.

FIG. 2 shows only an example of the system architecture designed in thisapplication. There may be a plurality of registration servers 12, aplurality of pseudonym identity generation servers 13, a plurality ofpseudonym certificate generation servers 14, a plurality of firstlinkage value servers 15, a plurality of second linkage value servers16, and a plurality of behavior investigation servers 17.

FIG. 3 is a schematic diagram of an application scenario based on thesystem architecture shown in FIG. 1 . Referring to FIG. 3 , in anInternet of Vehicles, to ensure security of communication between avehicle 21 and another vehicle, the vehicle 21 needs to obtain aplurality of pseudonym credentials (pseudonym certificates or pseudonymidentities). In this case, the vehicle 21 sends a first request messageto the registration server 12. The first request message includes anidentifier of the vehicle 21 and information about N to-be-requestedpseudonym credentials. The registration server 12 determines whether thefirst request message is a pseudonym certificate request message or apseudonym identity request message; and if the first request message isa pseudonym certificate request message, sends N second request messagesto the pseudonym certificate generation server 14; or if the firstrequest message is a pseudonym identity request message, sends N secondrequest messages to the pseudonym identity generation server 13. Eachsecond request message includes a tag of the corresponding secondrequest message, and information about one to-be-requested pseudonymcredential in the information about the N to-be-requested pseudonymcredentials. The pseudonym credential generation server (the pseudonymcertificate generation server 14 or the pseudonym identity generationserver 13) generates N pseudonym credentials based on the N secondrequest messages. Each pseudonym credential includes the tag of thecorresponding second request message. The pseudonym credentialgeneration server sends the N pseudonym credentials to the registrationserver 12. The registration server 12 sends the N pseudonym credentialsto the vehicle 21.

Further, after receiving a pseudonym credential that is of anothervehicle and that is sent by any vehicle in the vehicle network, thebehavior investigation server 17 sends the pseudonym credential to theregistration server 12. Because an identifier of a vehicle and a tag ofa second request message are stored in association with each other inthe registration server 12, the registration server 12 may obtain anidentifier of the another vehicle based on the tag included in thepseudonym credential, to determine a real identity of the anothervehicle.

FIG. 4 is a schematic diagram of an application scenario based on thesystem architecture shown in FIG. 2 . Referring to FIG. 4 , an Internetof Vehicles includes a plurality of vehicles 21. To ensure security ofcommunication between each vehicle 21 and another vehicle, the vehicle21 needs to obtain a plurality of pseudonym credentials (a pseudonymcertificate or a pseudonym identity). In this case, the vehicle 21 sendsa first request message to the registration server 12. The first requestmessage includes an identifier of the vehicle 21 and information about Nto-be-requested pseudonym credentials. The registration server 12 sends,to the first linkage value server 15, a message for requesting togenerate N first pre-linkage values, and sends, to the second linkagevalue server 16, a message for requesting to generate N secondpre-linkage values. The first linkage value server 15 generates N firstpre-linkage values, and sends the N first pre-linkage values to theregistration server 12. The second linkage value server 16 generates Nsecond pre-linkage values, and sends the N second pre-linkage values tothe registration server 12. The registration server 12 determineswhether the first request message is a pseudonym certificate requestmessage or a pseudonym identity request message, and if the firstrequest message is a pseudonym certificate request message, sends Nsecond request messages to the pseudonym certificate generation server14; or if the first request message is a pseudonym identity requestmessage, sends N second request messages to the pseudonym identitygeneration server 13. Each second request message includes a tag of thecorresponding second request message, information about oneto-be-requested pseudonym credential in the information about the Nto-be-requested pseudonym credential information, one first pre-linkagevalue, and one second pre-linkage value. The pseudonym credentialgeneration server (the pseudonym certificate generation server 14 or thepseudonym identity generation server 13) generates N pseudonymcredentials (pseudonym certificates or pseudonym identities) based onthe N second request messages. Each pseudonym credential includes thetag of the corresponding second request message and one linkage value(obtained based on a first pre-linkage value and a second pre-linkagevalue that are included in the corresponding second request message).The pseudonym credential generation server sends the N pseudonymcredentials to the registration server 12. The registration server 12sends the N pseudonym credentials to the vehicle 21.

Further, after receiving a pseudonym credential that is of anothervehicle and that is sent by any vehicle in the vehicle network, thebehavior investigation server 17 sends the pseudonym credential to theregistration server 12. Because an identifier of a vehicle and a tag ofa second request message are stored in association with each other inthe registration server 12, the registration server 12 may obtain anidentifier of the another vehicle based on the tag included in thepseudonym credential, to determine a real identity of the anothervehicle. The registration server 12 sends first information related tothe identifier of the another vehicle to the first linkage value server15, so that the first linkage value server 15 obtains a first targetvalue stored in linkage with the first information, and sends the firsttarget value to the behavior investigation server 17. The registrationserver 12 sends second information related to the identifier of theanother vehicle to the second linkage value server 15, so that thesecond linkage value server 15 obtains a second target value stored inlinkage with the second information, and sends the second target valueto the behavior investigation server 17. The behavior investigationserver 17 obtains N linkage values based on the first target value andthe second target value, and the behavior investigation server 17revokes N pseudonym credentials including the linkage values in the Nlinkage values, that is, revokes N pseudonym credentials of the anothervehicle.

For clarity in FIG. 4 , communication connections between the behaviorinvestigation server 17 and the second linkage value server 15 andbetween the behavior investigation server 17 and the second linkagevalue server 16 are not shown.

First, an example in which the pseudonym credential is a pseudonymcertificate is used to describe a pseudonym credential configurationmethod provided in the embodiments of this application.

FIG. 5 is a first signaling interaction diagram of a pseudonymcredential configuration method according to an embodiment of thisapplication. Referring to FIG. 5 , the method in this embodimentincludes the following steps.

Step S101: A terminal device sends a first request message to aregistration server, where the first request message includes anidentifier of the terminal device and information about Nto-be-requested pseudonym certificates.

Specifically, in this embodiment, the terminal device may be a V2Xdevice, and the registration server is an RA server.

When the terminal device needs to apply for a pseudonym certificate, theterminal device sends a first request message to the registrationserver. The first request message includes an identifier ID1 of theterminal device and information about N to-be-requested pseudonymcertificates. The identifier ID1 herein is a real identifier of theterminal device.

Specifically, information about a to-be-requested pseudonym certificatemay include a temporary public key and a public key that needs to bewritten into the pseudonym certificate. If the terminal device needs toapply for 20 pseudonym certificates, the first request message includesinformation about 20 to-be-requested pseudonym certificates. In thiscase, information about a first to-be-requested pseudonym certificatemay include a temporary public key 1 and a public key 1 that needs to bewritten into a pseudonym certificate 1; information about a secondto-be-requested pseudonym certificate may include a temporary public key2 and a public key 2 that needs to be written into a pseudonymcertificate 2; information about a third to-be-requested pseudonymcertificate may include a temporary public key 3 and a public key 3 thatneeds to be written into a pseudonym certificate 3; and so on.Information about a twentieth to-be-requested pseudonym certificate mayinclude a temporary public key 20 and a public key 20 needs to bewritten into a pseudonym certificate 20.

To ensure that the registration server does not learn of each temporarypublic key and each public key that needs to be written into thepseudonym certificate, the information that is about eachto-be-requested pseudonym credential and that is carried in the firstrequest message may be information obtained after “the temporary publickey and the public key that needs to be written into the pseudonymcertificate” are encrypted by using a public key corresponding to apseudonym certificate generation server. In this case, information aboutN to-be-requested pseudonym credentials may be represented asEn(C1_VPK(0), C1_EPK(0), PCA_PK), En(C1_VPK(1), C1_EPK(1), PCA_PK), . .. , En(C1_VPK(i), C1_EPK(i), PCA_PK), . . . , and En(C1_VPK(N−1),C1_EPK(N−1), PCA_PK). C1_VPK(i) indicates a public key that needs to bewritten into an (i+1)^(th) pseudonym certificate. C1_EPK(i) indicates an(i+1)^(th) temporary public key. PCA_PK indicates the public keycorresponding to the pseudonym certificate generation server.En(C1_VPK(i), C1_EPK(i), PCA_PK) indicates information obtained after“the public key that needs to be written into the (i+1)^(th) pseudonymcertificate and the (i+1)^(th) temporary public key” are encrypted byusing the public key PCA_PK corresponding to the pseudonym certificategeneration server. i=0, 1, . . . , N−1.

The pseudonym certificate generation server is a PCA server.

The identifier ID1 of the terminal device, En(C1_VPK(0), C1_EPK(0),PCA_PK), En(C1_VPK(1), C1_EPK(1), PCA_PK), . . . , En(C1_VPK(i),C1_EPK(i), PCA_PK), . . . , and En(C1_VPK (N−1), C1_EPK (N−1), PCA_PK)may be referred to as a transmission text. To ensure confidentiality ina transmission process, the transmission text needs to be signed, thatis, hash calculation needs to be performed on “ID1, En(C1_VPK(0),C1_EPK(0), PCA_PK), En(C1_VPK(1), C1_EPK(1), PCA_PK), . . . ,En(C1_VPK(i), C1_EPK(i), PCA_PK), . . . , and En(C1_VPK(N−1),C1_EPK(N−1), PCA_PK)”, to obtain a digest of the transmission text.Then, the digest of the transmission text is encrypted by using aprivate key (C1_ESK) corresponding to an ECA certificate of the terminaldevice, to obtain a signature of the transmission text.

Therefore, the first request message may include the identifier ID1 ofthe terminal device, En(C1_VPK(0), C1_EPK(0), PCA_PK), En(C1_VPK(1),C1_EPK(1), PCA_PK), . . . , En(C1_VPK(i), C1_EPK(i), PCA_PK), . . . ,and En(C1_VPK(N−1), C1_EPK(N−1), PCA_PK), the signature of thetransmission text, and the ECA certificate.

The ECA certificate described above may include the identifier ID1 ofthe terminal device, a public key corresponding to the ECA certificate,an ECA certificate expiration time, and a signature of the ECAcertificate.

Step S102: The registration server determines that a type of the firstrequest message sent by the terminal device is a pseudonym certificaterequest message.

Specifically, a method for determining, by the registration server, thetype of the first request message sent by the terminal device may beimplemented by using the following two implementations, but not limitedto the following two implementations.

In an implementable implementation, if a received first request messagecarries an ECA certificate, the registration server determines that atype of the first request message is a pseudonym certificate requestmessage; or if a received first request message carries no ECAcertificate, the registration server determines that a type of the firstrequest message is a pseudonym identity request message. For example, instep S101, when the terminal device sends a first request message usedto request a pseudonym certificate to the registration server, if thefirst request message carries an ECA certificate, the registrationserver determines that the type of the first request message sent by theterminal device is a pseudonym certificate request message.

In another implementable implementation, the first request messagefurther includes indication information, and the indication informationindicates a type of the first request message. The registration serverdetermines the type of the first request message based on the indicationinformation. For example, if the indication information is a firstidentifier, it is determined that the type of the first request messageis a pseudonym certificate request message; or if the indicationinformation is a second identifier, it is determined that the type ofthe first request message is a pseudonym identity request message. Forexample, in step S101, if the terminal device requests a pseudonymcertificate, the first request message carries the first identifier.

Step S103: The registration server verifies the received first requestmessage.

After determining that the type of the first request message sent by theterminal device is a pseudonym certificate request message, theregistration server decrypts a signature of a transmission text in thefirst request message by using a public key included in an ECAcertificate in the first request message, to obtain a digest 1 of thetransmission text. A hash algorithm used when the terminal deviceobtains the signature of the transmission text is used to obtain adigest 2 of the transmission text included in the first request message.If the digest 1 of the transmission text is the same as the digest 2 ofthe transmission text, it indicates that the first request messagereceived by the registration server is the first request message sent bythe terminal device and is not tampered with, that is, the first requestmessage is successfully verified.

Step S204: After the first request message is successfully verified, theregistration server sends N second request messages to the pseudonymcertificate generation server, where each second request messageincludes a tag of the corresponding second request message, andinformation about one to-be-requested pseudonym certificate in theinformation about the N to-be-requested pseudonym certificates.

Specifically, a first form of the second request message is as follows:An i^(th) second request message may be represented as m=(C1_VPK(i−1),C1_EPK(i−1), Code(m)_(i-1)), where Code(m)_(i-1) is a tag of the i^(th)second request message, and i=0, 2, . . . , N−1.

It may be understood that information that is about each to-be-requestedpseudonym credential and that is carried in the first request messagecorresponding to the second request message in this form is “a temporarypublic key and a public key that needs to be written into a pseudonymcertificate” that are not encrypted by using the public keycorresponding to the pseudonym certificate generation server.

A second form of the second request message is as follows: An i^(th)second request message may be represented as m=En(C1_VPK(i−1),C1_EPK(i−1), Code(m)_(i-1)), where Code(m)_(i-1) is a tag of the i^(th)second request message, and i=0, 2, . . . , N−1.

It may be understood that information that is about each to-be-requestedpseudonym credential and that is carried in the first request messagecorresponding to the second request message in this form is informationobtained after “a temporary public key and a public key that needs to bewritten into a pseudonym certificate” are encrypted by using the publickey corresponding to the pseudonym certificate generation server.

When the second request message is in the foregoing second form, it canbe ensured that the registration server does not learn of the public keythat needs to be written into the pseudonym certificate or the temporarypublic key, thereby ensuring confidentiality of the pseudonymcertificate.

Code(m)_(i-1) may be a randomly generated code, or may be a hash valueobtained based on “En(C1_VPK(i−1), C1_EPK(i−1), PCA_PK)”.

The tag of each second request message and the identifier of theterminal device are stored in association with each other in theregistration server, or the tag of the second request message, thesecond request message, and the identifier of the terminal device arestored in association with each other in the registration server, sothat the registration server can obtain, based on the tag of the secondrequest message, the identifier that is of the terminal device and thatis associated with the tag of the second request message.

It may be understood that, in step S104, if the type of the firstrequest message is a pseudonym certificate request message, theregistration server sends the N second request messages to the pseudonymcertificate generation server; or if the type of the first requestmessage is a pseudonym identity request message, the registration serversends the N second request messages to the pseudonym identity generationserver. Based on the system architecture in the embodiments of thisapplication, in the method in this embodiment of this application, botha pseudonym identity and the pseudonym certificate can be generated.

Step S105: The pseudonym certificate generation server generates Npseudonym certificates based on the N second request messages.

Specifically, because the second request message does not include theidentifier of the terminal device, the pseudonym certificate generationserver does not learn of a terminal device to which the pseudonymcertificate belongs, but learns of content of the pseudonym certificate.As described above, if the first request message includes En(C1_VPK(0),C1_EPK(0), PCA_PK), En(C1_VPK(1), C1_EPK(1), PCA_PK), . . . ,En(C1_VPK(i), C1_EPK(i), PCA_PK), . . . , and En(C1_VPK(N−1),C1_EPK(N−1), PCA_PK), it can be ensured that the registration serverdoes not learn of content of the pseudonym certificate, but learns of anowner of the pseudonym certificate. In this way, confidentiality of thegenerated pseudonym certificate can be ensured, and the pseudonymcertificate is not easily stolen by a single device.

If the information about the to-be-requested pseudonym certificate inthe second request message is information obtained after actualinformation of the to-be-requested pseudonym certificate is encrypted byusing the public key of the pseudonym certificate generation server,that is, the i^(th) second request message may be represented asm=((En(C1_VPK(i−1), C1_EPK(i−1), PCA_PK)), Code(m)i−1),

that the pseudonym certificate generation server generates a pseudonymcertificate based on the second request message includes:

The pseudonym certificate generation server decrypts the informationabout the to-be-requested pseudonym certificate by using a private keyof the pseudonym certificate generation server, to obtain actualinformation of the to-be-requested certificate.

The pseudonym certificate generation server generates the pseudonymcertificate based on the tag of the second request message and at leasta part of the actual information of the to-be-requested pseudonymcredential.

Alternatively, that the pseudonym certificate generation servergenerates a pseudonym certificate based on the second request messageincludes:

The pseudonym certificate generation server decrypts the informationabout the to-be-requested pseudonym certificate by using a private keyof the pseudonym certificate generation server, to obtain actualinformation of the to-be-requested certificate.

The pseudonym certificate generation server encrypts the tag of thesecond request message by using a symmetric key of the pseudonymcertificate generation server, to obtain an encrypted tag.

The pseudonym certificate generation server generates the pseudonymcertificate based on the encrypted tag and at least a part of the actualinformation of the to-be-requested pseudonym certificate.

Specifically, if the i^(th) second request message may be represented asm=(En(C1_VPK(i−1), C1_EPK(i−1), PCA_PK), Code(m)_(i-1)), the pseudonymcertificate generation server decrypts En(C1_VPK(i−1), C1_EPK(i−1),PCA_PK) by using a private key corresponding to PCA_PK (that is, aprivate key of the pseudonym certificate generation server), to obtainC1_VPK(i−1) and C1_EPK(i−1) (C1_VPK(i−1) and C1_EPK(i−1) are the actualinformation of the to-be-requested pseudonym certificate), and writesC1_VPK(i−1) into an i^(th) pseudonym certificate, that is, C1_VPK(i−1)is a public key included in the i^(th) generated pseudonym certificate.

The pseudonym certificate generation server encrypts Code(m)_(i-1) byusing a symmetric key (which may be a symmetric key of PCA)corresponding to the pseudonym certificate generation server, to obtainencrypted Code(m)_(i-1), and writes the encrypted Code(m)i−1 into thei^(th) pseudonym certificate.

The pseudonym certificate generation server may further write anexpiration time of the i^(th) pseudonym certificate into the pseudonymcertificate.

The pseudonym certificate generation server may perform a hash operationbased on C1_VPK(i−1), the encrypted Code(m)_(i-1), and the expirationtime of the i^(th) pseudonym certificate, to obtain a hash value, andencrypt the hash value by using the private key of the pseudonymcertificate generation server, obtain a signature of the pseudonymcertificate. Therefore, the i^(th) pseudonym certificate may includeC1_VPK(i−1), the encrypted Code(m)_(i-1), the expiration time of thei^(th) pseudonym certificate, and the signature of the pseudonymcertificate.

After obtaining the i^(th) pseudonym certificate, the pseudonymcertificate generation server may encrypt the i^(th) pseudonymcertificate by using decrypted C1_EPK(i−1) (an i^(th) temporary publickey), to obtain an i^(th) encrypted pseudonym certificate.

Encrypting each generated pseudonym certificate can ensure that in asubsequent step, after the pseudonym certificate generation server sendsthe N pseudonym certificates to the registration server, theregistration server does not learn of content included in the pseudonymcertificates.

In conclusion, the pseudonym certificate generation server generates onepseudonym certificate based on each second request message, or generatesN encrypted pseudonym certificates of the terminal device based on the Nsecond request messages.

Step S106: The pseudonym certificate generation server sends the Npseudonym certificates to the registration server.

It may be understood that, if the pseudonym certificate generationserver encrypts the generated pseudonym certificate by using thetemporary public key, the pseudonym certificate generation server sendsthe N encrypted pseudonym certificates to the registration server.

Step S107: The registration server sends the N pseudonym certificates tothe terminal device.

It may be understood that if the registration server receives Nencrypted pseudonym certificates, the registration server sends the Nencrypted pseudonym certificates to the terminal device.

Because the pseudonym certificate generation server encrypts thegenerated pseudonym certificate by using the temporary public keycarried in the first request message sent by the terminal device to theregistration server, and the terminal device stores a private keycorresponding to the temporary public key, after receiving the Npseudonym certificates, the terminal device decrypts the N encryptedpseudonym certificates by using the private key corresponding to thetemporary public key, to obtain the N pseudonym certificates.

In addition, the terminal device or the pseudonym certificate generationserver further generates a private key corresponding to the public keyin the pseudonym certificate. If there are N pseudonym certificates, Ncorresponding private keys are generated. If the private keycorresponding to the public key in the pseudonym certificate isgenerated by the pseudonym certificate generation server, the pseudonymcertificate generation server sends the private key corresponding to thepublic key in the pseudonym certificate to the terminal device.

In the foregoing process, the terminal device obtains the N pseudonymcertificates. Subsequently, the terminal device can performcommunication by using the N pseudonym certificates. For example, whenthe i^(th) pseudonym certificate is used for communication, a transmitend signs to-be-transmitted information by using a private keycorresponding to the public key in the i^(th) pseudonym certificate, andcarries the i^(th) pseudonym certificate. A receive end verifies thereceived information by using the public key in the i^(th) pseudonymcertificate, to ensure communication security.

In this embodiment, the generated pseudonym certificate includes the tagof the second request message, and the tag of the second request messageand the real identifier of the terminal device are stored in associationwith each other in the registration server. In this way, when theterminal device has an improper behavior, the registration server canobtain the real identifier of the terminal device based on the tag inthe pseudonym certificate, so that a real identity of the terminaldevice can be quickly determined based on the pseudonym certificate.

To quickly revoke a plurality of pseudonym certificates of a terminaldevice when the terminal device has an improper behavior, thisembodiment makes further improvements based on the foregoing embodiment.FIG. 6A, FIG. 6B and FIG. 6C are a second signaling interaction diagramof a pseudonym credential configuration method according to anembodiment of this application. Referring to FIG. 6A, FIG. 6B and FIG.6C, the method in this embodiment includes the following steps.

Step S201: A terminal device sends a first request message to aregistration server, where the first request message includes anidentifier of the terminal device and information about Nto-be-requested pseudonym certificates.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

Step S202: The registration server determines that a type of the firstrequest message sent by the terminal device is a pseudonym certificaterequest message.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

Step S203: The registration server verifies the received first requestmessage.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

Step S204: After the first request message is successfully verified, theregistration server sends a third request message to a first linkagevalue server, where the third request message includes indicationinformation instructing the first linkage value server to generate Nfirst pre-linkage values.

Specifically, the third request message further includes a first hashvalue obtained after the registration server performs a hash operationon the identifier ID1 of the terminal device and a first random number.The first random number is a random number randomly generated by theregistration server for the terminal device.

The first linkage value server is a first LA server.

The registration server stores the first hash value in association withthe identifier ID1 of the terminal device, so that the registrationserver can obtain the identifier ID1 of the terminal device based on thefirst hash value, or obtain the first hash value based on the identifierID1 of the terminal device.

Step S205: The first linkage value server generates N first pre-linkagevalues.

That the first linkage value server generates N first pre-linkage valuesincludes: The first linkage value server generates N first seed values,where the N first seed values include one first native seed value. Thefirst linkage value server generates N first pre-linkage values based onthe N first seed values.

Specifically, the first linkage value server first generates a firstnative seed value LS₁(0), a k^(th) seed value is a hash value of a(k−1)^(th) seed value, k=2, 3, . . . , N, and a first seed value is thefirst native seed value LS₁(0). For example, LS₁(1)=Hash(LS₁(0)), andLS₁(2)=Hash(LS₁(1)), that is, LS₁(k)=Hash(LS₁(k−1)).

An m^(th) first pre-linkage value may be a part, for example, the firsthalf or the last half of an m^(th) first seed value; or an m^(th) firstpre-linkage value is a hash value of an m^(th) first seed value, wherem=1, 2, 3, . . . , N.

Further, the first linkage value server stores the first hash value inassociation with the N first seed values, so that the first linkagevalue server can obtain the N first seed values based on the first hashvalue, or can obtain the first hash value based on the N first seedvalues.

Alternatively, the first linkage value server stores the first hashvalue in association with the first native seed value, so that the firstlinkage value server can obtain the first native seed value based on thefirst hash value, or can obtain the first hash value based on the firstnative seed value.

Alternatively, the first linkage value server stores the first hashvalue in association with the N first pre-linkage values, so that thefirst linkage value server can obtain the N first pre-linkage valuesbased on the first hash value, or can obtain the first hash value basedon the N first pre-linkage values.

Step S206: The first linkage value server sends a first feedback messageto the registration server, where the first feedback message includesthe N first pre-linkage values.

Specifically, the first feedback message may further include the firsthash value, and the first hash value is a hash value corresponding tothe identifier of the terminal device and the first random number.

To ensure that the registration server does not learn of the N firstpre-linkage values, the N first pre-linkage values in the first feedbackmessage may be N first pre-linkage values encrypted by using a publickey PCA_PK of a pseudonym certificate generation server, and may berepresented as EPLV1(0), EPLV1(2), EPLV1(i), . . . , and EPLV1(N−1).EPLV1(i)=En(PLV1(i), PCA_PK), indicating that an (i+1)^(th) firstpre-linkage value is encrypted by using the public key PCA_PK of thepseudonym certificate generation server.

Step S207: After the first request message is successfully verified, theregistration server sends a fourth request message to a second linkagevalue server, where the fourth request message includes indicationinformation instructing the second linkage value server to generate Nsecond pre-linkage values.

Specifically, the fourth request message further includes a second hashvalue obtained by performing a hash operation on the identifier ID1 ofthe terminal device and a second random number. The second random numberis a random number randomly generated by the registration server for theterminal device.

The second linkage value server is a second LA server.

The registration server stores the second hash value in association withthe identifier ID1 of the terminal device, so that the registrationserver can obtain the identifier ID1 of the terminal device based on thesecond hash value, or obtain the second hash value based on theidentifier ID1 of the terminal device.

Step S208: The second linkage value server generates N secondpre-linkage values.

That the second linkage value server generates N second pre-linkagevalues includes: The second linkage value server generates N second seedvalues. The N first seed values include one second native seed value.The second linkage value server generates N second pre-linkage valuesbased on the N second seed values.

Specifically, the second linkage value server first generates a secondnative seed value LS₂(0), a k^(th) seed value is a hash value of a(k−1)^(th) seed value, and k is equal to 2, 3, . . . , N. For example,LS₂(1)=Hash(LS₂(0)), and LS₂(2)=Hash(LS₂(2)), that is,LS₂(k)=Hash(LS₂(k−1)).

An m^(th) second pre-linkage value may be a part, for example, the firsthalf or the last half of an m^(th) second seed value; or an m^(th)second pre-linkage value is a hash value of an m^(th) second seed value,where m=1, 2, 3, . . . , N.

Further, the second linkage value server stores the second hash value inassociation with the N second seed values, so that the second linkagevalue server can obtain the N second seed values based on the secondhash value, or can obtain the second hash value based on the N secondseed values.

Alternatively, the second linkage value server stores the second hashvalue in association with the second native seed value, so that thesecond linkage value server can obtain the second native seed valuebased on the second hash value, or can obtain the second hash valuebased on the second native seed value.

Alternatively, the second linkage value server stores the second hashvalue in association with the N second pre-linkage values, so that thesecond linkage value server can obtain the N second pre-linkage valuesbased on the second hash value, or can obtain the second hash valuebased on the N second pre-linkage values.

Step S209: The second linkage value server sends a second feedbackmessage to the registration server, where the second feedback messageincludes the N second pre-linkage values.

Specifically, the second feedback message may further include the secondhash value, and the second hash value is a hash value corresponding to acombination of the identifier of the terminal device and the secondrandom number.

To ensure that the registration server does not learn of the N secondpre-linkage values, the N second pre-linkage values in the firstfeedback message may be N second pre-linkage values encrypted by using apublic key PCA_PK of a pseudonym certificate generation server, and maybe represented as EPLV2(1), EPLV2(2), . . . , EPLV2(i), . . . , andEPLV2(N). EPLV1(i)=En(PLV1(i), PCA_PK), indicating that an (i+1)^(th)second pre-linkage value PLV1(i) is encrypted by using the public keyPCA_PK of the pseudonym certificate generation server.

Step S210: The registration server sends N second request messages tothe pseudonym certificate generation server, where each second requestmessage includes a tag of the corresponding second request message,information about one to-be-requested pseudonym certificate in theinformation about the N to-be-requested pseudonym certificates, onefirst pre-linkage value, and one second pre-linkage value.

Specifically, an i^(th) second request message may be represented asm=((C1_VPK(i−1), C1_EPK(i−1), PLV1(i−1), PLV2(i−1)), Code(m)_(i-1)),where Code(m)_(i-1) is a tag of the i^(th) second request message, andi=0, 1, . . . , N−1.

Alternatively, an i^(th) second request message may be represented asm=((En(C1_VPK(i−1), C1_EPK(i−1), PCA_PK), EPLV1(i−1), EPLV2(i−1)),Code(m)_(i-1)), where Code(m)_(i-1) is a tag of the i^(th) secondrequest message, and i=0, 1, . . . , N−1.

When the i^(th) second request message is in the foregoing second form,it can be ensured that the registration server does not learn of apublic key that needs to be written into a pseudonym certificate, atemporary public key, and a first pre-linkage value and a secondpre-linkage value that are required for generating a linkage value ofthe pseudonym certificate.

Code(m)_(i-1) may be a randomly generated code, or may be a hash valueobtained based on “En(C1_VPK(i−1), C1_EPK(i−1), PCA_PK), EPLV1(i−1), andEPLV2(i−1)”.

The tag of each second request message and the identifier of theterminal device are stored in association with each other in theregistration server, or the tag of the second request message, thesecond request message, and the identifier of the terminal device areassociated and stored in the registration server, so that theregistration server can obtain, based on the tag of the second requestmessage, the identifier that is of the terminal device and that isassociated with the tag of the second request message.

It may be understood that, if the type of the first request message is apseudonym certificate request message, the registration server sends theN second request messages to the pseudonym certificate generationserver; or if the type of the first request message is a pseudonymidentity request message, the registration server sends the N secondrequest messages to the pseudonym identity generation server. Based onthe system architecture in the embodiments of this application, in themethod in this embodiment of this application, both a pseudonym identityand the pseudonym certificate can be generated.

Step S211: The pseudonym certificate generation server generates Npseudonym certificates based on the N second request messages.

Specifically, because the second request message does not include theidentifier of the terminal device, the pseudonym certificate generationserver does not learn of a terminal device to which the pseudonymcertificate belongs, but learns of content of the pseudonym certificate.As described above, if the first request message includes ID1,En(C1_VPK(0), C1_EPK(0), PCA_PK), En(C1_VPK(1), C1_EPK(1), PCA_PK), . .. , En(C1_VPK(i), C1_EPK(i), PCA_PK), . . . , and En(C1_VPK(N−1),C1_EPK(N−1), PCA_PK), the first feedback message includes EPLV1(0),EPLV1(2), . . . , EPLV1(i), . . . , and EPLV1(N−1), and the secondfeedback message includes EPLV2(0), EPLV2(1), . . . , EPLV2(i), . . . ,and EPLV2(N−1), it can be ensured that the registration server does notlearn of content of the pseudonym certificate, but learns of an owner ofthe pseudonym certificate. In this way, confidentiality of the generatedpseudonym certificate can be ensured, and the pseudonym certificate isnot easily stolen by a single device.

If the information about the to-be-requested pseudonym certificate inthe second request message is information obtained after actualinformation of the to-be-requested pseudonym certificate is encrypted byusing the public key of the pseudonym certificate generation server, andthe first pre-linkage value and the second pre-linkage value that areencrypted by using the public key of the pseudonym certificategeneration server, that is, the i^(th) second request message may berepresented as m=((En(C1_VPK(i−1), C1_EPK(i−1), PCA_PK), EPLV1(i−1),EPLV2(i−1)), Code(m)_(i-1)),

that the pseudonym certificate generation server generates a pseudonymcertificate based on the second request message includes:

The pseudonym certificate generation server decrypts the informationabout the to-be-requested pseudonym certificate by using a private keyof the pseudonym certificate generation server, to obtain actualinformation of the to-be-requested certificate.

The pseudonym certificate generation server decrypts, by using theprivate key of the pseudonym certificate generation server, the firstpre-linkage value and the second pre-linkage value that are encrypted byusing the public key of the pseudonym certificate generation server, toobtain the first pre-linkage value and the second pre-linkage value.

The pseudonym certificate generation server performs an exclusive ORoperation on the first pre-linkage value and the second pre-linkagevalue to obtain a linkage value.

The pseudonym certificate generation server generates the pseudonymcertificate based on the tag of the second request message, at least apart of the actual information of the to-be-requested pseudonymcredential, and the linkage value.

Alternatively, that the pseudonym certificate generation servergenerates a pseudonym certificate based on the second request messageincludes:

The pseudonym certificate generation server decrypts the informationabout the to-be-requested pseudonym certificate by using a private keyof the pseudonym certificate generation server, to obtain actualinformation of the to-be-requested certificate.

The pseudonym certificate generation server decrypts, by using theprivate key of the pseudonym certificate generation server, the firstpre-linkage value and the second pre-linkage value that are encrypted byusing the public key of the pseudonym certificate generation server, toobtain the first pre-linkage value and the second pre-linkage value.

The pseudonym certificate generation server performs an exclusive ORoperation on the first pre-linkage value and the second pre-linkagevalue to obtain a linkage value.

The pseudonym certificate generation server encrypts the tag of thesecond request message by using a symmetric key of the pseudonymcertificate generation server, to obtain an encrypted tag.

The pseudonym certificate generation server generates the pseudonymcertificate based on the encrypted tag, at least a part of the actualinformation of the to-be-requested pseudonym certificate, and thelinkage value.

The linkage value is obtained based on the first pre-linkage valuegenerated by the first linkage value server and the second pre-linkagevalue generated by the second linkage value server, so that it can beensured that the linkage value written into the pseudonym certificate islearned of by only the pseudonym certificate generation server, therebyfurther ensuring security of the pseudonym certificate.

Specifically, if the i^(th) second request message may be represented asm=((En(C1_VPK(i−1), C1_EPK(i−1), PCA_PK), EPLV1(i−1), EPLV2(i−1)),Code(m)_(i-1)), the pseudonym certificate generation server decryptsEn(C1_VPK(i−1), C1_EPK(i−1), PCA_PK) by using a private keycorresponding to PCA_PK (that is, the private key of the pseudonymcertificate generation server), to obtain C1_VPK(i−1) and C1_EPK(i−1)(C1_VPK(i−1) and C1_EPK(i−1) are the actual information of theto-be-requested pseudonym certificate), and writes C1_VPK(i−1) into ani^(th) pseudonym certificate, that is, C1_VPK(i−1) is a public keyincluded in the i^(th) generated pseudonym certificate.

The pseudonym certificate generation server decrypts EPLV1(i−1) andEPLV2(i−1) by using the private key corresponding to PCA_PK to obtainPLV1(i−1) and PLV2(i−1), and then performs the exclusive OR operation onPLV1(i−1) and PLV2(i−1) to obtain LV1(i−1). LV1(i−1) indicates an i^(th)linkage value generated after the exclusive OR operation is performed onan i^(th) first pre-linkage value and an i^(th) second pre-linkagevalue, and writes the i^(th) linkage value into the i^(th) pseudonymcertificate.

The pseudonym certificate generation server encrypts Code(m)_(i-1) byusing a symmetric key (which may be a symmetric key of PCA)corresponding to the pseudonym certificate generation server, to obtainencrypted Code(m)_(i-1), and writes the encrypted Code(m)_(i-1) into thei^(th) pseudonym certificate.

The pseudonym certificate generation server may further write anexpiration time of the i^(th) pseudonym certificate into the pseudonymcertificate.

The pseudonym certificate generation server may perform a hash operationbased C1_VPK(i−1), LV1(i−1), the encrypted Code(m)_(i-1), and theexpiration time of the i^(th) pseudonym certificate, to obtain a hashvalue, and encrypt the hash value by using the private key correspondingto the pseudonym certificate generation server, to obtain a signature ofthe pseudonym certificate. Therefore, the i^(th) pseudonym certificatemay include C1_VPK(i−1), LV1(i−1), the encrypted Code(m)_(i-1), theexpiration time of the i^(th) pseudonym certificate, and the signatureof the pseudonym certificate.

After obtaining the i^(th) pseudonym certificate, the pseudonymcertificate generation server may encrypt the i^(th) pseudonymcertificate by using decrypted C1_EPK(i−1) (an i^(th) temporary publickey) and C1_EPK(i−1), to obtain an i^(th) encrypted pseudonymcertificate.

Encrypting each generated pseudonym certificate can ensure that in asubsequent step, after the pseudonym certificate generation server sendsthe N pseudonym certificates to the registration server, theregistration server does not learn of content included in the pseudonymcertificates.

In conclusion, the pseudonym certificate generation server generates onepseudonym certificate based on each second request message, or generatesN encrypted pseudonym certificates of the terminal device based on the Nsecond request messages.

Step S212: The pseudonym certificate generation server sends the Npseudonym certificates to the registration server.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

Step S213: The registration server sends the N pseudonym certificates tothe terminal device.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

In the foregoing process, the terminal device obtains the N pseudonymcertificates. Subsequently, the terminal device can performcommunication by using the N pseudonym certificates. For example, whenthe i^(th) pseudonym certificate is used for communication, a transmitend signs to-be-transmitted information by using a private keycorresponding to the public key in the i^(th) pseudonym certificate, andcarries the i^(th) pseudonym certificate. A receive end verifies thereceived information by using the public key in the i^(th) pseudonymcertificate, to ensure communication security.

In this embodiment, the generated pseudonym certificate includes the tagof the second request message and the linkage value. When the terminaldevice has an improper behavior, a real identifier ID1 of the terminaldevice can be quickly identified based on the tag of the second requestmessage. In addition, the registration server stores the first hashvalue of the identifier ID1 of the terminal device and the first randomnumber in association with the identifier ID1 of the terminal device,and stores the second hash value of the identifier ID1 of the terminaldevice and the second random number in association with the identifierID1 of the terminal device. Therefore, the registration server canobtain the first hash value and the second hash value based on theidentifier ID1 of the terminal device. In addition, the first hash valueand the second hash value are stored in linkage with the native seedvalue or the seed value or the pre-linkage value related to the linkagevalue in the generated pseudonym certificate, so that linkage values inall pseudonym certificates of the terminal device can be obtained, andall the pseudonym certificates of the terminal device can be quicklyrevoked based on the obtained linkage values.

Then, an example in which the pseudonym credential is a pseudonymidentity is used to describe the pseudonym credential configurationmethod provided in the embodiments of this application.

FIG. 7 is a third signaling interaction diagram of a pseudonymcredential configuration method according to an embodiment of thisapplication. Referring to FIG. 7 , the method in this embodimentincludes the following steps.

Step S301: A terminal device sends a first request message to aregistration server, where the first request message includes anidentifier of the terminal device and information about Nto-be-requested pseudonym identities.

Specifically, in this embodiment, the terminal device may be a V2Xdevice, and the registration server is an RA server.

When the terminal device needs to apply for a pseudonym identity, theterminal device sends a first request message to the registrationserver. The first request message includes an identifier ID1 of theterminal device and information about N to-be-requested pseudonymidentities. The identifier ID1 herein is a real identifier of theterminal device.

Specifically, information about a to-be-requested pseudonym identity mayinclude a temporary public key and a pseudonym identifier that needs tobe included in the to-be-requested pseudonym identity. If the terminaldevice needs to apply for 20 pseudonym identities, the first requestmessage includes information about 20 to-be-requested pseudonymidentities. In this case, information about a first to-be-requestedpseudonym identity may include a temporary public key 1 and a pseudonymidentity 1 that needs to be included in a to-be-requested pseudonymidentity 1; information about a second to-be-requested pseudonymidentity may include a temporary public key 2 and a pseudonym identity 2that is included in a to-be-requested pseudonym identity 2; informationabout a third to-be-requested pseudonym identity may include a temporarypublic key 3 and a pseudonym identity 3 that needs to be included in ato-be-requested pseudonym identity 3; and so on. Information about atwentieth to-be-requested pseudonym identity may include a temporarypublic key 20 and a pseudonym identity 20 that needs to be included in ato-be-requested pseudonym identity 20.

It may be understood that the pseudonym identifier that needs to beincluded in the pseudonym identity is not the real identifier ID1 of theterminal device.

To ensure that the registration server does not learn of each temporarypublic key and the pseudonym identity included in the to-be-requestedpseudonym identity, information that is about each to-be-requestedpseudonym identity and that is carried in the first request message maybe information obtained after “a temporary public key and a pseudonymidentity that needs to be included in the to-be-requested pseudonymidentity” are encrypted by using a public key corresponding to apseudonym identity generation server. In this case, the informationabout the N to-be-requested pseudonym identities may be represented asEn(C1_SID(0), C1_EPK(0), KGC_PK), En(C1_SID(1), C1_EPK(1), KGC_PK), . .. , En(C1_SID(i), C1_EPK(i), KGC_PK), . . . , and En(C1_SID(N−1),C1_EPK(N−1), KGC_PK). C1_SID(i) indicates a pseudonym identifier thatneeds to be included in an (i+1)^(th) to-be-requested pseudonymidentity. C1_EPK(i) indicates an (i+1)^(th) temporary public key. KGC_PKindicates the public key corresponding to the pseudonym identitygeneration server. En(C1_SID(i), C1_EPK(i), KGC_PK) indicatesinformation obtained after “the (i+1)^(th) temporary public key and thepseudonym identifier that needs to be included in the (i+1)^(th)to-be-requested pseudonym identity” are encrypted by using the publickey KGC_PK corresponding to the pseudonym identity generation server.i=0, 1, . . . , N−1.

The pseudonym identity generation server is a KGC server.

The identifier ID1 of the terminal device, En(C1_SID(0), C1_EPK(0),KGC_PK), En(C1_SID(1), C1_EPK(1), KGC_PK), . . . , En(C1_SID(i),C1_EPK(i), KGC_PK), . . . , and En(C1_SID(N−1), C1_EPK (N−1), KGC_PK)may be referred to as a transmission text. To ensure confidentiality ina transmission process, the transmission text needs to be signed, thatis, hash calculation needs to be performed on “ID1, En(C1_SID(0),C1_EPK(0), KGC_PK), En(C1_SID(1), C1_EPK(1), KGC_PK), . . . ,En(C1_SID(i), C1_EPK(i), KGC_PK), . . . , and En(C1_SID(N−1),C1_EPK(N−1), KGC_PK)”, to obtain a digest of the transmission text.Then, the digest of the transmission text is encrypted by using aprivate key (C1_ESK) in a public-private key pair that is of theterminal device and that is based on a real identity, to obtain asignature of the transmission text. A public key in the public-privatekey pair herein is a real identifier of the terminal device, and theprivate key (C1_ESK) in the public-private key pair is generated by aprivate key generation center or a key generation center.

Therefore, the first request message may include the identifier ID1 ofthe terminal device, En(C1_SID(0), C1_EPK(0), KGC_PK), En(C1_SID(1),C1_EPK(1), KGC_PK), . . . , En(C1_SID(i), C1_EPK(i), KGC_PK), . . . ,En(C1_SID(N−1), C1_EPK(N−1), KGC_PK), and the signature of thetransmission text.

It can be learned that the first request message sent to theregistration server when the terminal device requests the pseudonymidentity does not include the pseudonym certificate.

Step S302: The registration server determines that a type of the firstrequest message sent by the terminal device is a pseudonym identityrequest message.

Specifically, a method for determining, by the registration server, thetype of the first request message sent by the terminal device may beimplemented by using the following two implementations, but not limitedto the following two implementations.

In an implementable implementation, if a received first request messagecarries an ECA certificate, the registration server determines that atype of the first request message is a pseudonym identity requestmessage; or if a received first request message carries no ECAcertificate, the registration server determines that a type of the firstrequest message is a pseudonym identity request message. For example, instep S301, when the terminal device sends a first request message usedto request a pseudonym identity to the registration server, if the firstrequest message carries no ECA certificate, the registration serverdetermines that a type of the first request message sent by the terminaldevice is a pseudonym identity request message.

In another implementable implementation, the first request messagefurther includes indication information, and the indication informationindicates the type of the first request message. The registration serverdetermines the type of the first request message based on the indicationinformation. For example, if the indication information is a firstidentifier, it is determined that the type of the first request messageis a pseudonym identity request message; or if the indicationinformation is a second identifier, it is determined that the type ofthe first request message is a pseudonym identity request message. Forexample, in step S301, if the terminal device requests a pseudonymidentity, the sent first request message carries the second identifier.

Step S303: The registration server verifies the received first requestmessage.

After determining that the type of the first request message sent by theterminal device is a pseudonym identity request message, theregistration server decrypts the signature of the transmission text inthe first request message by using the public key in the public-privatekey pair that is based on the real identity, that is, the realidentifier ID1 of the terminal device, to obtain a digest 1 of thetransmission text, and obtains a digest 2 of the transmission textincluded in the first request message by using a hash algorithm usedwhen the terminal device obtains the signature of the transmission text.If the digest 1 of the transmission text is the same as the digest 2 ofthe transmission text, it indicates that the first request messagereceived by the registration server is the first request message sent bythe terminal device and is not tampered with, that is, the first requestmessage is successfully verified.

Step S304: After the first request message is successfully verified, theregistration server sends N second request messages to the pseudonymidentity generation server, where each second request message includes atag of the corresponding second request message, and information aboutone to-be-requested pseudonym identity in the information about the Nto-be-requested pseudonym identities.

Specifically, a first form of the second request message is as follows:An i^(th) second request message may be represented as m=(C1_SID(i−1),C1_EPK(i−1), Code(m)_(i-1)), where Code(m)_(i-1) is a tag of the i^(th)second request message, and i=0, 2, . . . , N−1.

It may be understood that information that is about each to-be-requestedpseudonym identity and that is carried in the first request messagecorresponding to the second request message in this form is “a temporarypublic key and a pseudonym identifier that needs to be written into apseudonym identity” that are not encrypted by using the public keycorresponding to the pseudonym identity generation server.

A second form of the second request message is as follows: An i^(th)second request message may be represented as m=En(C1_SID(i−1),C1_EPK(i−1), Code(m)_(i-1)), where Code(m)_(i-1) is a tag of the i^(th)second request message, and i=0, 2, . . . , N−1.

It may be understood that information that is about each to-be-requestedpseudonym identity and that is carried in the first request messagecorresponding to the second request message in this form is informationobtained after “a temporary public key and a pseudonym identifier thatneeds to be included in the to-be-requested pseudonym identity” areencrypted by using the public key corresponding to the pseudonymidentity generation server.

When the second request message is in the foregoing second form, it canbe ensured that the registration server does not learn of the temporarypublic key and the pseudonym identity that needs to be included in theto-be-requested pseudonym identity, thereby ensuring confidentiality ofthe generated pseudonym identity.

Code(m)_(i-1) may be a randomly generated code, or may be a hash valueobtained based on “En(C1_SID(i−1), C1_EPK(i−1), KGC_PK)”.

The tag of each second request message and the identifier of theterminal device are stored in association with each other in theregistration server, or the tag of the second request message, thesecond request message, and the identifier of the terminal device areassociated and stored in the registration server, so that theregistration server can obtain, based on the tag of the second requestmessage, the identifier that is of the terminal device and that isassociated with the tag of the second request message.

It may be understood that, if the type of the first request message is apseudonym identity request message, the registration server sends the Nsecond request messages to the pseudonym identity generation server; orif the type of the first request message is a pseudonym identity requestmessage, the registration server sends the N second request messages tothe pseudonym identity generation server. Based on the systemarchitecture in the embodiments of this application, in the method inthis embodiment of this application, both the pseudonym identity and apseudonym certificate can be generated.

Step S305: The pseudonym identity generation server generates Npseudonym identities based on the N second request messages, andgenerates pseudonym private keys corresponding to pseudonym identifiersincluded in the N pseudonym identities.

Specifically, because the second request message does not include theidentifier of the terminal device, the pseudonym identity generationserver does not learn of a terminal device to which the pseudonymidentity belongs, but learns of content of the pseudonym identity. Asdescribed above, if the first request message includes En(C1_SID(0),C1_EPK(0), KGC_PK), En(C1_SID(1), C1_EPK(1), KGC_PK), . . . ,En(C1_SID(i), C1_EPK(i), KGC_PK), . . . , and En(C1_SID(N−1),C1_EPK(N−1), KGC_PK), it can be ensured that the registration serverdoes not learn of content of the pseudonym identity, but learns of anowner of the pseudonym identity. In this way, confidentiality of thegenerated pseudonym identity can be ensured, and the pseudonym identityis not easily stolen by a single device.

If the information about the to-be-requested pseudonym identity in thesecond request message is information obtained after actual informationof the to-be-requested pseudonym identity is encrypted by using thepublic key of the pseudonym identity generation server, that is, thei^(th) second request message may be represented as m=((En(C1_SID(i−1),C1_EPK(i−1), KGC_PK)), Code(m)_(i-1)),

that the pseudonym identity generation server generates a pseudonymidentity based on the second request message includes:

The pseudonym identity generation server decrypts the information aboutthe to-be-requested pseudonym identity by using a private key of thepseudonym identity generation server, to obtain actual information ofthe to-be-requested certificate.

The pseudonym identity generation server generates the pseudonymidentity based on the tag of the second request message and at least apart of the actual information of the to-be-requested pseudonymcredential.

Alternatively, that the pseudonym identity generation server generates apseudonym identity based on the second request message includes:

The pseudonym identity generation server decrypts the information aboutthe to-be-requested pseudonym identity by using a private key of thepseudonym identity generation server, to obtain actual information ofthe to-be-requested certificate.

The pseudonym identity generation server encrypts the tag of the secondrequest message by using a symmetric key of the pseudonym identitygeneration server, to obtain an encrypted tag.

The pseudonym identity generation server generates the pseudonymidentity based on the encrypted tag and at least a part of the actualinformation of the to-be-requested pseudonym identity.

Specifically, if the i^(th) second request message may be represented asm=(En(C1_SID(i−1), C1_EPK(i−1), KGC_PK), Code(m)_(i-1)), the pseudonymidentity generation server decrypts En(C1_SID(i−1), C1_EPK(i−1), KGC_PK)by using a private key corresponding to KGC_PK (that is, a private keyof the pseudonym identity generation server), to obtain C1_SID(i−1) andC1_EPK(i−1) (C1_SID(i−1) and C1_EPK(i−1) are the actual information ofthe to-be-requested pseudonym identity), and writes C1_SID(i−1) into ani^(th) pseudonym identity, that is, C1_SID(i−1) is a pseudonymidentifier included in the i^(th) generated pseudonym identity.

The pseudonym identity generation server encrypts Code(m)_(i-1) by usinga symmetric key (which may be a symmetric key KGC_key of KGC) of thepseudonym identity generation server, to obtain encrypted Code(m)_(i-1),and the encrypted Code(m)_(i-1) is represented as E(Code(m), KGC_key).

After obtaining the i^(th) pseudonym identity, the pseudonym identitygeneration server may encrypt the i^(th) pseudonym identity by usingdecrypted C1_EPK(i−1) (an i^(th) temporary public key), to obtain ani^(th) encrypted pseudonym identity.

Therefore, the i^(th) pseudonym identity may include C1_SID(i−1) and theencrypted Code(m)_(i-1). The i^(th) encrypted pseudonym identity may berepresented as (En(C1_SID(i−1)∥E(Code(m)_(i-1), KGC_key)∥C1_EPK(i−1)).

Encrypting each generated pseudonym identity can ensure that in asubsequent step, after the pseudonym identity generation server sendsthe N pseudonym identities to the registration server, the registrationserver does not learn of content included in the pseudonym identities.

In addition, the pseudonym identity generation server may further set anexpiration time of the i^(th) pseudonym identity.

The pseudonym identity generation server may further perform a hashoperation based on C1_SID(i−1), the encrypted Code(m)_(i-1), and theexpiration time of the i^(th) pseudonym identity, to obtain a hashvalue, and encrypt the hash value by using the private key of thepseudonym identity generation server, to obtain a signature of thepseudonym identity.

Therefore, the i^(th) pseudonym identity may further include theexpiration time of the i^(th) pseudonym identity and the signature ofthe i^(th) pseudonym identity.

Further, the pseudonym identity generation server further generates apseudonym private key corresponding to each pseudonym identifier. Ani^(th) pseudonym identifier and a pseudonym private key corresponding tothe i^(th) pseudonym identifier constitute a public-private key pairthat is based on the i^(th) pseudonym identity. The public-private keypair based on the i^(th) pseudonym identity is used to verify acommunication message when the terminal device subsequently performscommunication by using the i^(th) pseudonym identity.

After obtaining the i^(th) pseudonym private key C1_SK(i−1)corresponding to the i^(th) pseudonym identifier, the pseudonym identitygeneration server may encrypt the i^(th) pseudonym private key by usingthe decrypted C1_EPK(i−1) (the i^(th) temporary public key), to obtainan i^(th) encrypted pseudonym private key that may be represented asEn(C1_SK(i−1), C1_EPK(i−1)).

In conclusion, the pseudonym identity generation server generates onepseudonym identity based on each second request message, or generates Nencrypted pseudonym identities of the terminal device based on the Nsecond request messages, and generates N pseudonym private keyscorresponding to pseudonym identifiers in the N pseudonym identities.

Step S306: The pseudonym identity generation server sends the Npseudonym identities and the N pseudonym private keys to theregistration server.

It may be understood that, if the pseudonym identity generation serverencrypts the generated pseudonym identity by using the temporary publickey, the pseudonym identity generation server sends the N encryptedpseudonym identities to the registration server.

If the pseudonym identity generation server encrypts the generatedpseudonym private key by using the temporary public key, the pseudonymidentity generation server sends the N encrypted pseudonym private keysto the registration server.

Step S307: The registration server sends the N pseudonym identities andthe N pseudonym private keys to the terminal device.

It may be understood that if the registration server receives Nencrypted pseudonym identities, the registration server sends the Nencrypted pseudonym identities to the terminal device; or if theregistration server receives N encrypted pseudonym private keys, theregistration server sends the N encrypted pseudonym private keys to theterminal device.

Because the pseudonym identity generation server encrypts the generatedpseudonym identity by using the temporary public key carried in thefirst request message sent by the terminal device to the registrationserver, and the terminal device stores a private key corresponding tothe temporary public key, after receiving the N pseudonym identities,the terminal device decrypts the N encrypted pseudonym identities byusing the private key corresponding to the temporary public key, toobtain the N pseudonym identities, and decrypts the N encryptedpseudonym private keys by using the private key corresponding to thetemporary public key, to obtain the N pseudonym private keys.

In the foregoing process, the terminal device obtains the N pseudonymidentities. Subsequently, the terminal device may perform communicationby using the N pseudonym identities. For example, when the i^(th)pseudonym identity is used for communication, a transmit end signsto-be-transmitted information by using a pseudonym private keycorresponding to the pseudonym identifier in the i^(th) pseudonymidentity. The to-be-transmitted information includes the i^(th)pseudonym identity. A receive end verifies the received information byusing the pseudonym identifier in the i^(th) pseudonym identity, toensure communication security.

In this embodiment, the generated pseudonym identity includes the tag ofthe second request message, and the tag of the second request messageand the real identifier of the terminal device are stored in associationwith each other in the registration server. In this way, when theterminal device has an improper behavior, the registration server canobtain the real identifier of the terminal device based on the tag inthe pseudonym identity, so that a real identity of the terminal devicecan be quickly determined based on the pseudonym identity.

To quickly revoke a plurality of pseudonym identities of a terminaldevice when the terminal device has an improper behavior, thisembodiment makes further improvements based on the foregoing embodiment.

FIG. 8A, FIG. 8B and FIG. 8C are a fourth signaling interaction diagramof a pseudonym credential configuration method according to anembodiment of this application. Referring to FIG. 8A, FIG. 8B and FIG.8C, the method in this embodiment includes the following steps.

Step S401: A terminal device sends a first request message to aregistration server, where the first request message includes anidentifier of the terminal device and information about Nto-be-requested pseudonym identities.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

Step S402: The registration server determines that a type of the firstrequest message sent by the terminal device is a pseudonym identityrequest message.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

Step S403: The registration server verifies the received first requestmessage.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

Step S404: After the first request message is successfully verified, theregistration server sends a third request message to a first linkagevalue server, where the third request message includes indicationinformation instructing the first linkage value server to generate Nfirst pre-linkage values.

For a specific implementation, refer to the description in theembodiment shown in FIG. 4 . Details are not described in thisembodiment again.

Step S405: The first linkage value server generates N first pre-linkagevalues.

For a specific implementation, refer to the description in theembodiment shown in FIG. 4 . Details are not described in thisembodiment again.

Step S406: The first linkage value server sends a first feedback messageto the registration server, where the first feedback message includesthe N first pre-linkage values and a first hash value, and the firsthash value is a hash value corresponding to the identifier of theterminal device and a first random number.

For a specific implementation, refer to the description in theembodiment shown in FIG. 4 . Details are not described in thisembodiment again.

Step S407: After the first request message is successfully verified, theregistration server sends a fourth request message to the second linkagevalue server, where the fourth request message includes indicationinformation instructing the second linkage value server to generate Nsecond pre-linkage values.

For a specific implementation, refer to the description in theembodiment shown in FIG. 4 . Details are not described in thisembodiment again.

Step S408: The second linkage value server generates N secondpre-linkage values.

For a specific implementation, refer to the description in theembodiment shown in FIG. 4 . Details are not described in thisembodiment again.

Step S409: The second linkage value sends a second feedback message tothe registration server, where the second feedback message includes theN second pre-linkage values and a second hash value, and the second hashvalue is a hash value corresponding to a combination of the identifierof the terminal device and a second random number.

For a specific implementation, refer to the description in theembodiment shown in FIG. 4 . Details are not described in thisembodiment again.

Step S410: The registration server sends N second request messages tothe pseudonym identity generation server, where each second requestmessage includes a tag of the corresponding second request message,information about one to-be-requested pseudonym identity in theinformation about the N to-be-requested pseudonym identity, one firstpre-linkage value, and one second pre-linkage value.

Specifically, an i^(th) second request message may be represented asm=((C1_SID(i−1), C1_EPK(i−1), PLV1(i−1), PLV2(i−1)), Code(m)_(i-1)),where Code(m)_(i-1) is a tag of the i^(th) second request message, andi=0, 2, . . . , N−1.

Alternatively, an i^(th) second request message may be represented asm=((En(C1_SID(i−1), C1_EPK(i−1), KGC_PK), EPLV1(i−1), EPLV2(i−1)),Code(m)_(i-1)), where Code(m)_(i-1) is a tag of the i^(th) secondrequest message, and i=0, 2, . . . , N−1.

When the i^(th) second request message is in the foregoing second form,it can be ensured that the registration server does not learn of thetemporary public key, the first pre-linkage value and the secondpre-linkage value that are required for generating the linkage valueincluded in the pseudonym identity, and the pseudonym identifier thatneeds to be included in the pseudonym identity.

Code(m)_(i-1) may be a randomly generated code, or may be a hash valueobtained based on “En(C1_SID(i−1), C1_EPK(i−1), KGC_PK), EPLV1(i−1), andEPLV2(i−1)”.

The tag of each second request message and the identifier of theterminal device are stored in association with each other in theregistration server, or the tag of the second request message, thesecond request message, and the identifier of the terminal device areassociated and stored in the registration server, so that theregistration server can obtain, based on the tag of the second requestmessage, the identifier that is of the terminal device and that isassociated with the tag of the second request message.

It may be understood that, if the type of the first request message is apseudonym identity request message, the registration server sends the Nsecond request messages to the pseudonym identity generation server; orif the type of the first request message is a pseudonym identity requestmessage, the registration server sends the N second request messages tothe pseudonym identity generation server. Based on the systemarchitecture in the embodiments of this application, in the method inthis embodiment of this application, both the pseudonym identity and thepseudonym identity can be generated.

Step S411: The pseudonym identity generation server generates Npseudonym identities based on the N second request messages, andgenerates pseudonym private keys corresponding to pseudonym identifiersincluded in the N pseudonym identities.

Specifically, because the second request message does not include theidentifier of the terminal device, the pseudonym identity generationserver does not learn of a terminal device to which the pseudonymidentity belongs, but learns of content of the pseudonym identity. Asdescribed above, if the first request message includes En(C1_SID(0),C1_EPK(0), KGC_PK), En(C1_SID(1), C1_EPK(1), KGC_PK), . . . ,En(C1_SID(i), C1_EPK(i), KGC_PK), . . . , and En(C1_SID(N−1),C1_EPK(N−1), KGC_PK), the first feedback message includes EPLV1(0),EPLV1(2), EPLV1(i), . . . , and EPLV1(N−1), and the second feedbackmessage includes EPLV2(0), EPLV2(1), . . . , EPLV2(i), . . . , andEPLV2(N−1), it can be ensured that the registration server does notlearn of content of the pseudonym identity, but learns of an owner ofthe pseudonym identity. In this way, confidentiality of the generatedpseudonym identity can be ensured, and the pseudonym identity is noteasily stolen by a single device.

If the information about the to-be-requested pseudonym identity in thesecond request message is information obtained after actual informationof the to-be-requested pseudonym identity is encrypted by using thepublic key of the pseudonym identity generation server, and the firstpre-linkage value and the second pre-linkage value that are encrypted byusing the public key of the pseudonym identity generation server, thatis, the i^(th) second request message may be represented asm=((En(C1_SID(i−1), C1_EPK(i−1), KGC_PK), EPLV1(i−1), EPLV2(i−1)),Code(m)_(i-1)),

that the pseudonym identity generation server generates a pseudonymidentity based on the second request message includes:

The pseudonym identity generation server decrypts the information aboutthe to-be-requested pseudonym identity by using a private key of thepseudonym identity generation server, to obtain actual information ofthe to-be-requested certificate.

The pseudonym identity generation server decrypts, by using the privatekey of the pseudonym identity generation server, the first pre-linkagevalue and the second pre-linkage value that are encrypted by using thepublic key of the pseudonym identity generation server, to obtain thefirst pre-linkage value and the second pre-linkage value.

The pseudonym identity generation server performs an exclusive ORoperation on the first pre-linkage value and the second pre-linkagevalue to obtain a linkage value.

The pseudonym identity generation server generates the pseudonymidentity based on the tag of the second request message, at least a partof the actual information of the to-be-requested pseudonym credential,and the linkage value.

Alternatively, that the pseudonym identity generation server generates apseudonym identity based on the second request message includes:

The pseudonym identity generation server decrypts the information aboutthe to-be-requested pseudonym identity by using a private key of thepseudonym identity generation server, to obtain actual information ofthe to-be-requested certificate.

The pseudonym identity generation server decrypts, by using the privatekey of the pseudonym identity generation server, the first pre-linkagevalue and the second pre-linkage value that are encrypted by using thepublic key of the pseudonym identity generation server, to obtain thefirst pre-linkage value and the second pre-linkage value.

The pseudonym identity generation server performs an exclusive ORoperation on the first pre-linkage value and the second pre-linkagevalue to obtain a linkage value.

The pseudonym identity generation server encrypts the tag of the secondrequest message by using a symmetric key of the pseudonym identitygeneration server, to obtain an encrypted tag.

The pseudonym identity generation server generates the pseudonymidentity based on the encrypted tag, at least a part of the actualinformation of the to-be-requested pseudonym identity, and the linkagevalue.

The linkage value is obtained based on the first pre-linkage valuegenerated by the first linkage value server and the second pre-linkagevalue generated by the second linkage value server, so that it can beensured that the linkage value in the pseudonym identity is learned ofby only the pseudonym identity generation server, thereby furtherensuring security of the pseudonym identity.

Specifically, if the i^(th) second request message may be represented asm=((En(C1_SID(i−1), C1_EPK(i−1), KGC_PK), EPLV1(i−1), EPLV2(i−1)),Code(m)_(i-1)), the pseudonym identity generation server decryptsEn(C1_SID(i−1), C1_EPK(i−1), KGC_PK) by using a private keycorresponding to KGC_PK (that is, the private key of the pseudonymidentity generation server), to obtain C1_SID(i−1) and C1_EPK(i−1)(C1_SID(i−1) and C1_EPK(i−1) are the actual information of theto-be-requested pseudonym identity), and writes C1_SID(i−1) into ani^(th) pseudonym identity, that is, C1_SID(i−1) is a pseudonymidentifier included in the i^(th) generated pseudonym identity.

The pseudonym identity generation server decrypts EPLV1(i−1) andEPLV2(i−1) by using the private key corresponding to KGC_PK to obtainPLV1(i−1) and PLV2(i−1), and then performs the exclusive OR operation onPLV1(i−1) and PLV2(i−1) to obtain LV1(i−1). LV1(i−1) indicates an i^(th)linkage value generated after the exclusive OR operation is performed onan i^(th) first pre-linkage value and an i^(th) second pre-linkagevalue.

The pseudonym identity generation server encrypts Code(m)_(i-1) by usinga symmetric key (which may be a symmetric key KGC_key of KGC)corresponding to the pseudonym identity generation server, to obtainencrypted Code(m)_(i-1), and the encrypted Code(m)_(i-1) is representedas E(Code(m), KGC_key).

Therefore, the i^(th) pseudonym identity may include C1_SID(i−1), thei^(th) linkage value LV1(i−1), and the encrypted Code(m)_(i-1). Ani^(th) encrypted pseudonym identity may be represented as (En(C1_SID(i−1)∥LV(i−1)∥E(Code(m)_(i-1), KGC_key)∥C1 EPK(i−1)).

After obtaining the i^(th) pseudonym identity, the pseudonym identitygeneration server may encrypt the i^(th) pseudonym identity by usingdecrypted C1_EPK(i−1) (an i^(th) temporary public key), to obtain thei^(th) encrypted pseudonym identity.

Encrypting each generated pseudonym identity can ensure that in asubsequent step, after the pseudonym identity generation server sendsthe N pseudonym identities to the registration server, the registrationserver does not learn of content included in the pseudonym identities.

In addition, the pseudonym identity generation server may further set anexpiration time of the i^(th) pseudonym identity.

The pseudonym identity generation server may further perform a hashoperation based on C1_SID(i−1), the encrypted Code(m)_(i-1), and theexpiration time of the i^(th) pseudonym identity, to obtain a hashvalue, and encrypt the hash value by using the private key correspondingto the pseudonym identity generation server, to obtain a signature ofthe pseudonym identity.

Therefore, the i^(th) pseudonym identity may further include theexpiration time of the i^(th) pseudonym identity and the signature ofthe i^(th) pseudonym identity.

Further, the pseudonym identity generation server further generates apseudonym private key corresponding to each pseudonym identifier. Ani^(th) pseudonym identifier and a pseudonym private key corresponding tothe i^(th) pseudonym identifier constitute a public-private key pairthat is based on the i^(th) pseudonym identity. The public-private keypair based on the i^(th) pseudonym identity is used to verify acommunication message when the terminal device subsequently performscommunication by using the i^(th) pseudonym identity.

After obtaining the i^(th) pseudonym private key C1_SK(i−1)corresponding to the i^(th) pseudonym identifier, the pseudonym identitygeneration server may encrypt the i^(th) pseudonym private key by usingthe decrypted C1_EPK(i−1) (the i^(th) temporary public key), to obtainan i^(th) encrypted pseudonym private key that may be represented asEn(C1_SK(i−1), C1_EPK(i−1)).

In conclusion, the pseudonym identity generation server generates onepseudonym identity based on each second request message, or generates Nencrypted pseudonym identities of the terminal device based on the Nsecond request messages, and generates N pseudonym private keyscorresponding to pseudonym identifiers in the N pseudonym identities.

Step S412: The pseudonym identity generation server sends the Npseudonym identities and the N pseudonym private keys to theregistration server.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

Step S413: The registration server sends the N pseudonym identities andthe N pseudonym private keys to the terminal device.

For a specific implementation, refer to the description in the foregoingembodiment. Details are not described in this embodiment again.

In this embodiment, the generated pseudonym identity includes the tag ofthe second request message and the linkage value. When the terminaldevice has an improper behavior, a real identifier ID1 of the terminaldevice can be quickly identified based on the tag of the second requestmessage. In addition, the registration server stores the first hashvalue of the identifier ID1 of the terminal device and the first randomnumber in association with the identifier ID1 of the terminal device,and stores the second hash value of the identifier ID1 of the terminaldevice and the second random number in association with the identifierID1 of the terminal device. Therefore, the registration server canobtain the first hash value and the second hash value based on theidentifier ID1 of the terminal device. In addition, the first hash valueand the second hash value are stored in linkage with the native seedvalue or the seed value or the pre-linkage value related to the linkagevalue in the generated pseudonym certificate, so that linkage values inall pseudonym identities of the terminal device can be obtained, and allthe pseudonym identities of the terminal device can be quickly revokedbased on the obtained linkage values.

An example in which the pseudonym credential is a pseudonym certificateis used below to describe a process in which a pseudonym certificate ofa terminal device is revoked if the terminal device performs an improperbehavior after obtaining the pseudonym certificate.

FIG. 9A, FIG. 9B and FIG. 9C are a fifth interaction flowchart of apseudonym credential configuration method according to an embodiment ofthis application. Referring to FIG. 9A, FIG. 9B and FIG. 9C, the methodin this embodiment includes the following steps.

Step S501: A first terminal device sends a report message to a behaviorinvestigation server, where the report message includes a pseudonymcertificate of a second terminal device.

Specifically, during communication between the first terminal device andthe second terminal device, if the first terminal device finds that thesecond terminal is performing an improper behavior, the first terminaldevice sends, to the behavior investigation server, a pseudonymcertificate currently used by the second terminal device duringcommunication.

The behavior investigation server may be an MA server.

Step S502: The behavior investigation server determines that a pseudonymcredential included in the report message is a pseudonym certificate.

Specifically, a method for determining, by the behavior investigationserver after receiving the report information, a type of a pseudonymcredential sent by the first terminal device may be implemented by usingthe following two implementations, but not limited to the following twoimplementations.

One implementable implementation is based on different forms of thepseudonym certificate and a pseudonym identity. As described above, thepseudonym certificate is in a form of a certificate, and the pseudonymidentity is in a form of a character string. For example, if the reportmessage sent by the first terminal device in step S501 includes thepseudonym certificate, and the behavior investigation server determinesthat the pseudonym credential included in the report message is in aform of a certificate, the behavior investigation server determines thata pseudonym credential sent by the first terminal device is a pseudonymcertificate.

In another implementable implementation, the report message includesindication information, where the indication information indicates atype of the pseudonym credential; and the behavior investigation serverdetermines, based on the indication information, the type of thepseudonym credential included in the report message. For example, if theindication information is a first identifier, it is determined that thetype of the pseudonym credential included in the report message is apseudonym certificate; or if the indication information is a secondidentifier, it is determined that the type of the pseudonym credentialincluded in the report message is a pseudonym identity. For example, instep S501, when the first terminal device sends the pseudonymcertificate of the second terminal, the report message carries the firstidentifier.

Step S503: The behavior investigation server sends the pseudonymcertificate to a pseudonym certificate generation server.

Specifically, after determining that the pseudonym credential includedin the report information is a pseudonym certificate, the behaviorinvestigation server sends the pseudonym certificate to the pseudonymcertificate generation server.

Step S504: The pseudonym certificate generation server obtains a tagincluded in the pseudonym certificate.

Specifically, after the pseudonym certificate generation server receivesthe pseudonym certificate, as described in the foregoing embodiment, ifthe tag included in the pseudonym certificate has been encrypted byusing a symmetric key of the pseudonym certificate generation server,decryption is performed by using the symmetric key of the pseudonymcertificate generation server, to obtain the tag included in thepseudonym certificate.

It may be understood that the tag herein is the tag of the secondrequest message sent by the registration server to the pseudonymcertificate generation server in the foregoing embodiment.

Step S505: The pseudonym certificate generation server sends theobtained tag to the behavior investigation server.

Step S506: The behavior investigation server sends the tag to aregistration server.

Step S507: The registration server determines an identifier associatedwith the tag, where the identifier is an identifier of the secondterminal device.

Specifically, as described in the foregoing embodiment, the registrationserver stores the identifier (the real identifier) of the terminaldevice in association with the tag included in the pseudonymcertificate. Therefore, after receiving the tag sent by the behaviorinvestigation server, the registration server may obtain the identifierassociated with the tag. It may be understood that, in this embodiment,the identifier that is obtained by the registration server and that isassociated with the tag is a real identifier of the second terminaldevice.

After obtaining the real identifier of the second terminal device, theregistration server can learn of a real identity of the second terminaldevice, so that a real identity of a terminal device having an improperbehavior can be quickly determined.

After the real identity of the terminal device having the improperbehavior is determined, if the registration server receives again arequest message that is sent by the terminal device for requesting apseudonym certificate, the registration server may reject the requestfor generating a pseudonym certificate, that is, the registration servermay not send a request message (that is, the second request message inthe foregoing embodiment) for requesting to generate a pseudonymcertificate to the pseudonym certificate generation server.

Step S508: The registration server obtains a first hash value and asecond hash value that are associated with the identifier, where thefirst hash value is a hash value of the identifier and a first randomnumber, and the second hash value is a hash value of the identifier anda second random number.

After determining the real identity of the second terminal device, torevoke all pseudonym certificates of the second terminal device, theregistration server needs to obtain the first hash value and the secondhash value that are associated with the identifier of the secondterminal device.

For example, in the foregoing embodiment, after receiving the firstrequest message sent by the terminal device, the registration serverstores the hash value obtained based on the identifier of the terminaldevice and the random number in association with the identifier of theterminal device. In this case, after the second terminal device sendsthe first request message to the registration server, the registrationserver also obtains the first hash value based on the identifier of thesecond terminal device and the first random number that is generated bythe registration server for the second terminal device, obtains thesecond hash value based on the identifier of the second terminal deviceand the second random number that is generated by the registrationserver for the second terminal device, and stores both the first hashvalue and the first hash value in linkage with the identifier of thesecond terminal device. Therefore, the registration server can obtainthe first hash value and the second hash value that are associated withthe identifier of the second terminal device.

Step S509: The registration server sends the first hash value to a firstlinkage value server.

Step S510: The first linkage value server obtains a first target valueset associated with the first hash value, where the first target valueset includes one of N first seed values, a first native seed value, andN first pre-linkage values.

Specifically, as described in the foregoing embodiment, the thirdrequest message carries the hash value corresponding to the identifierof the terminal device and the random number, and the first linkagevalue server stores the hash value corresponding to the identifier ofthe terminal device and the random number in association with the firsttarget value.

It may be understood that, if the first linkage value server in theforegoing embodiment stores the N first seed values in association withthe first hash value, the first target value set includes the N firstseed values, and the first linkage value server obtains the N first seedvalues associated with the first hash value.

If the first linkage value server in the foregoing embodiment stores thefirst native seed value in association with the first hash value, thefirst target value set includes the first native seed value, and thefirst linkage value server obtains the first native seed valueassociated with the first hash value.

If the first linkage value server in the foregoing embodiment stores theN first pre-linkage values in association with the first hash value, thefirst target value set includes the N first pre-linkage values, and thefirst linkage value server obtains the N first pre-linkage valuesassociated with the first hash value.

Step S511: The first linkage value server sends the first target valueset to the behavior investigation server.

Specifically, if the first target value set includes the N first seedvalues, the first linkage value server sends the N first seed values tothe behavior investigation server.

If the first target value set includes the first native seed value, thefirst linkage value server sends the first native seed value to thebehavior investigation server.

If the first target value set includes the N first pre-linkage values,the first linkage value server sends the N first pre-linkage values tothe behavior investigation server.

Step S512: The registration server sends the second hash value to asecond linkage value server.

Step S513: The second linkage value server obtains a second target valueset associated with the second hash value, where the second target valueset includes one of N second seed values, a second native seed value,and N second pre-linkage values.

Specifically, as described in the foregoing embodiment, the thirdrequest message carries the hash value corresponding to the identifierof the terminal device and the random number, and the second linkagevalue server stores the hash value corresponding to the identifier ofthe terminal device and the random number in association with the secondtarget value.

It may be understood that, if the first linkage value server in theforegoing embodiment stores the N second seed values in association withthe second hash value, the second target value set includes the N secondseed values, and the second linkage value server obtains the N secondseed values associated with the first hash value.

If the second linkage value server in the foregoing embodiment storesthe second native seed value in association with the second hash value,the first target value set includes the second native seed value, andthe second linkage value server obtains the second native seed valueassociated with the second hash value.

If the second linkage value server in the foregoing embodiment storesthe N second pre-linkage values in association with the second hashvalue, the second target value set includes the N second pre-linkagevalues, and the second linkage value server obtains the N secondpre-linkage values associated with the second hash value.

Step S514: The second linkage value server sends the second target valueset to the behavior investigation server.

Specifically, if the second target value set includes the N second seedvalues, the second linkage value server sends the N second seed valuesto the behavior investigation server.

If the second target value set includes the second native seed value,the second linkage value server sends the second native seed value tothe behavior investigation server.

If the second target value set includes the N second pre-linkage values,the second linkage value server sends the N second pre-linkage values tothe behavior investigation server.

Step S515: The behavior investigation server generates N linkage valuesbased on the first target value set and the second target value set.

If the first target value set includes the first native seed value, andthe second target value set includes the second native seed value, thatthe behavior investigation server generates N linkage values based onthe first target value set and the second target value set includes:

The behavior investigation server generates N−1 first seed values basedon the first native seed value, and generates N first pre-linkage valuesbased on the first native seed value and the N−1 first seed values.

The behavior investigation server generates N−1 second seed values basedon the second native seed value, and generates N second pre-linkagevalues based on the second native seed value and the N−1 second seedvalues.

For each of N groups of pre-linkage values, the behavior investigationserver performs an exclusive OR operation on a first pre-linkage valueand a second pre-linkage value that are included in the group to obtaina linkage value. Each group of pre-linkage values includes one firstpre-linkage value and one second pre-linkage value.

For a specific implementation of the foregoing description, refer tostep S208 and step S211 in the embodiment shown in FIG. 4 .

If the first target value set includes the N first pre-linkage values,and the second target value set includes the N second pre-linkagevalues, that the behavior investigation server generates N linkagevalues based on the first target value set and the second target valueset includes:

For each of N groups of pre-linkage values, the behavior investigationserver performs an exclusive OR operation on a first pre-linkage valueand a second pre-linkage value in the group to obtain a linkage value.

If the first target value set includes the N first seed values, and thesecond target value set includes the N second seed values, that thebehavior investigation server generates N linkage values based on thefirst target value set and the second target value set includes:

The behavior investigation server generates N first pre-linkage valuesbased on the N first seed values.

The behavior investigation server generates N second pre-linkage valuesbased on the N second seed values.

For each of N groups of pre-linkage values, the behavior investigationserver performs an exclusive OR operation on a first pre-linkage valueand a second pre-linkage value that are included in the group to obtaina linkage value. Each group of pre-linkage values includes one firstpre-linkage value and one second pre-linkage value.

Step S516: For each linkage value, the behavior investigation serverrevokes a pseudonym certificate including the linkage value.

Specifically, in step S515, the N linkage values are obtained, and thebehavior investigation server revokes a pseudonym certificate includingany one of the N linkage values, that is, revokes the pseudonymcertificate of the second terminal device.

According to the method in this embodiment, a real identity of aterminal device having an improper behavior can be identified, and allpseudonym certificates of the terminal device having the improperbehavior can be quickly revoked.

An example in which the pseudonym credential is a pseudonym identity isused below to describe a process in which a pseudonym identity of aterminal device is revoked if the terminal device performs an improperbehavior after obtaining the pseudonym certificate.

FIG. 10 is a fifth interaction flowchart of a pseudonym credentialconfiguration method according to an embodiment of this application.Referring to FIG. 8 , the method in this embodiment includes thefollowing steps.

Step S601: A first terminal device sends a report message to a behaviorinvestigation server, where the report message includes a pseudonymidentity of a second terminal device.

Step S602: The behavior investigation server determines that a pseudonymcredential included in the report message is a pseudonym identity.

Step S603: The behavior investigation server sends the pseudonymidentity to a pseudonym identity generation server.

Step S604: The pseudonym identity generation server obtains a tagincluded in the pseudonym identity.

Step S605: The pseudonym identity generation server sends the tagobtained through decryption to the behavior investigation server.

Step S606: The behavior investigation server sends the tag to aregistration server.

Step S607: The registration server determines an identifier associatedwith the tag, where the identifier is an identifier of the secondterminal device.

Step S608: The registration server obtains a first hash value and asecond hash value that are associated with the identifier, where thefirst hash value is a hash value of the identifier and a first randomnumber, and the second hash value is a hash value of the identifier anda second random number.

Step S609: The registration server sends the first hash value to a firstlinkage value server.

Step S610: The first linkage value server obtains a first target valueset associated with the first hash value, where the first target valueset includes one of N first seed values, a first native seed value, andN first pre-linkage values.

Step S611: The first linkage value server sends the first target valueset to the behavior investigation server.

Step S612: The registration server sends the second hash value to asecond linkage value server.

Step S613: The second linkage value server obtains a second target valueset associated with the second hash value, where the second target valueset includes one of N second seed values, a second native seed value,and N second pre-linkage values.

Step S614: The second linkage value server sends the second target valueset to the behavior investigation server.

Step S615: The behavior investigation server generates N linkage valuesbased on the first target value set and the second target value set.

Step S616: For each linkage value, the behavior investigation serverrevokes a pseudonym identity including the linkage value.

According to the method in this embodiment, a real identity of aterminal device having an improper behavior can be identified, and allpseudonym certificates of the terminal device having the improperbehavior can be quickly revoked.

In conclusion, it can be learned from the embodiments shown in FIG. 3 toFIG. 8A, FIG. 8B and FIG. 8C that, when a pseudonym credential isgenerated for a terminal device, a tag included in the pseudonymcredential is used to identify a real identity of a terminal device withan improper behavior, and linkage values included in pseudonymcredentials are used to quickly revoke all pseudonym credentials of theterminal device having the improper behavior.

It should be understood that, sequence numbers of the foregoingprocesses do not mean execution sequences. The execution sequences ofthe processes should be determined according to functions and internallogic of the processes, and should not be construed as any limitation onthe implementation processes of the embodiments of this application.

In the embodiments of this application, function modules of a mobiledevice may be divided based on the foregoing method example. Forexample, each function module may be obtained through division based oneach corresponding function, or two or more functions may be integratedinto one processing module. The foregoing integrated unit may beimplemented in a form of hardware, or may be implemented in a form of asoftware functional module. It should be noted that module division inthe embodiments of this application is an example, and is merely logicalfunction division and may be other division in actual implementation.For example, a plurality of units or components may be combined orintegrated into another system, or some features may be ignored, or noexecution is performed. In addition, the displayed or discussed mutualcouplings or direct couplings or communication connections may beimplemented by using some interfaces. The indirect couplings orcommunication connections between the apparatuses or units may beimplemented in electronic, mechanical, or other forms.

FIG. 10 is a first schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication. Referring to FIG. 10 , the apparatus in this embodimentincludes a receiving module 31, a sending module 32, and a storagemodule 33.

The receiving module 31 is configured to receive a first request messagefrom a terminal device. The first request message includes an identifierof the terminal device and information about N to-be-requested pseudonymcredentials, and N is a positive integer.

The sending module 32 is configured to send N second request messages toa pseudonym credential generation server. The second request message isused to instruct the pseudonym credential generation server to generatea pseudonym credential. The pseudonym credential includes a tag of thecorresponding second request message and at least a part of informationabout one to-be-requested pseudonym credential included in thecorresponding second request message.

The storage module 33 is configured to store a tag of each secondrequest message in association with the identifier of the terminaldevice in the pseudonym credential configuration apparatus, so that thepseudonym credential configuration apparatus can obtain, based on thetag, the identifier that is of the first terminal device and that isassociated with the tag.

The receiving module 31 is further configured to receive N pseudonymcredentials from the pseudonym credential generation server.

The sending module 32 is configured to send the N pseudonym credentialsto the terminal device.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to theregistration server of the foregoing method embodiment. Theimplementation principles and technical effects are similar, and are notfurther described herein.

FIG. 11 is a second schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication. Referring to FIG. 10 , based on FIG. 10 , the pseudonymcredential configuration apparatus further includes a determining module34.

The determining module 34 is configured to determine a type of the firstrequest message before the sending module 32 sends the N second requestmessages to the pseudonym credential generation server. The type is apseudonym certificate request message or a pseudonym identity requestmessage.

If the type is a pseudonym certificate request message, the sendingmodule 32 sends the N second request messages to a pseudonym certificategeneration server.

If the type is a pseudonym identity request message, the sending module32 sends the N second request messages to the pseudonym identitygeneration server.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to theregistration server of the foregoing method embodiment. Theimplementation principles and technical effects are similar, and are notfurther described herein.

In a possible design, the first request message further includes firstindication information indicating the type of the first request message.The determining module 34 is specifically configured to determine thetype of the first request message based on the first indicationinformation.

In a possible design, the sending module 32 is further configured to:before sending the N second request messages to the pseudonym credentialgeneration server, send a third request message to a first linkage valueserver, and send a fourth request message to a second linkage valueserver. The third request message includes indication informationinstructing the first linkage value server to generate N firstpre-linkage values. The fourth request message includes indicationinformation instructing the second linkage value server to generate Nsecond pre-linkage values.

The receiving module 31 is further configured to receive the N firstpre-linkage values from the first linkage value server, and receive theN second pre-linkage values from the second linkage value server.

In this case, each pseudonym credential further includes a linkagevalue. The linkage value is obtained by the pseudonym credentialgeneration server based on a first pre-linkage value and a secondpre-linkage value included in a corresponding second request message.

In a possible design, the third request message further includes a firsthash value. The first hash value is a hash value corresponding to theidentifier of the terminal device and a first random number. The fourthrequest message further includes a second hash value. The second hashvalue is a hash value corresponding to the identifier of the terminaldevice and a second random number.

The storage module 33 is further configured to store the identifier ofthe terminal device in association with the first hash value and thesecond hash value, so that the pseudonym credential configurationapparatus can obtain the first hash value and the second hash valuebased on the identifier of the terminal device.

In a possible design, the first pre-linkage value is a linkage valueencrypted by using a public key of the pseudonym credential generationserver, and the second pre-linkage value is a linkage value encrypted byusing the public key of the pseudonym credential generation server.

In a possible design, the information about the to-be-requestedpseudonym credential is information obtained after actual information ofthe to-be-requested pseudonym credential is encrypted by using a publickey of the pseudonym credential generation server.

In this case, the at least a part of the information about theto-be-requested pseudonym credential that is included in the pseudonymcredential is at least a part of the actual information of theto-be-requested pseudonym credential.

If the pseudonym credential is a pseudonym certificate, the at least apart of the actual information of the to-be-requested pseudonymcredential includes a pseudonym certificate public key.

If the pseudonym credential is a pseudonym identity, the at least a partof the actual information of the to-be-requested pseudonym credentialincludes a pseudonym identifier.

In a possible design, if the pseudonym credential is a pseudonymidentity, the receiving module 31 is further configured to receive, fromthe pseudonym credential generation server, N pseudonym private keyscorresponding to N pseudonym identifiers in N pseudonym identities.

In a possible design, the pseudonym credential configuration apparatusfurther includes the receiving module 31, further configured to receivea target tag from a behavior investigation server.

The determining module 34 is configured to determine a target identifierassociated with the target tag. The target identifier is used toindicate a target terminal device.

In a possible design, the sending module 32 is further configured tosend a first target hash value and a second target hash value that areassociated with the target identifier to the behavior investigationserver. The first target hash value is a hash value corresponding to thetarget identifier and a third random number. The second target hashvalue is a hash value corresponding to the target identifier and afourth random number.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to theregistration server of the foregoing method embodiment. Theimplementation principles and technical effects are similar, and are notfurther described herein.

FIG. 12 is a third schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication. Referring to FIG. 12 , the apparatus in this embodimentincludes a receiving module 41, a generation module 42, and a sendingmodule 43.

The receiving module 41 is configured to receive a request message froma registration server. The request message includes a tag of the requestmessage and information about a to-be-requested pseudonym credential ofa terminal device. The tag of the request message and the identifier ofthe terminal device are stored in association with each other in theregistration server, so that the registration server can obtain, basedon the tag, the identifier that is of the terminal device and that isassociated with the tag.

The generation module 42 is configured to generate a pseudonymcredential. The pseudonym credential includes the tag and at least apart of the information about the to-be-requested pseudonym credential.

The sending module 43 is configured to send the pseudonym credential tothe registration server.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to thepseudonym credential generation server of the foregoing methodembodiment. The implementation principles and technical effects aresimilar, and are not further described herein.

In a possible design, the information about the to-be-requestedpseudonym credential is information obtained after actual information ofthe to-be-requested pseudonym credential is encrypted by using a publickey of the pseudonym credential configuration apparatus.

The generation module 42 is specifically configured to decrypt theinformation about the to-be-requested pseudonym credential by using aprivate key of the pseudonym credential configuration apparatus, toobtain the actual information of the to-be-requested pseudonymcredential; and generate the pseudonym credential based on the tag andthe at least a part of the actual information of the to-be-requestedpseudonym credential.

In a possible design, the request message further includes a firstpre-linkage value and a second pre-linkage value that are encrypted byusing a public key of the pseudonym credential configuration apparatus.

The generation module 42 is specifically configured to decrypt, by thepseudonym credential configuration apparatus by using a private key ofthe pseudonym credential configuration apparatus, the first pre-linkagevalue and the second pre-linkage value that are encrypted by using thepublic key of the pseudonym credential configuration apparatus, toobtain the first pre-linkage value and the second pre-linkage value.

The pseudonym credential configuration apparatus performs an exclusiveOR operation on the first pre-linkage value and the second pre-linkagevalue to obtain a linkage value.

The generation module 42 is specifically configured to generate thepseudonym credential based on the tag and the at least a part of theactual information of the to-be-requested pseudonym credential.

In a possible design, the generation module 42 is specificallyconfigured to:

encrypt the tag by using a symmetric key of the pseudonym credentialconfiguration apparatus to obtain an encrypted tag; and

generate the pseudonym credential based on the encrypted tag, the atleast a part of the actual information of the to-be-requested pseudonymcredential, and the linkage value.

In a possible design, if the pseudonym credential is a pseudonymcertificate, the actual information of the to-be-requested pseudonymcredential includes a pseudonym certificate public key, and thepseudonym credential configuration apparatus is a pseudonym certificategeneration server.

The generation module 42 is specifically configured to generate thepseudonym certificate based on the encrypted tag, the pseudonymcertificate public key, and the linkage value.

In a possible design, if the pseudonym credential is a pseudonymidentity, the actual information of the to-be-requested pseudonymcredential includes a pseudonym identifier, and the pseudonym credentialconfiguration apparatus is a pseudonym identity generation server.

The generation module 42 is specifically configured to:

generate the pseudonym identity based on the encrypted tag, thepseudonym identifier, and the linkage value.

In a possible design, the actual information of the to-be-requestedpseudonym credential further includes a temporary public key. Thegeneration module 42 is further configured to:

encrypting the pseudonym certificate by using the temporary public key,to obtain an encrypted pseudonym certificate.

The sending module 43 is further configured to send the encryptedpseudonym certificate to the registration server.

In a possible design, the actual information of the to-be-requestedpseudonym credential further includes a temporary public key. Thegeneration module 42 is further configured to encrypt the pseudonymidentity by using the temporary public key, to obtain an encryptedpseudonym identity.

The sending module 43 is further configured to send the encryptedpseudonym identity to the registration server.

In a possible design, the generation module 42 is further configured togenerate a pseudonym private key corresponding to the pseudonymidentifier; and

encrypt the pseudonym private key by using the temporary public key, toobtain an encrypted pseudonym private key.

The sending module 43 is further configured to send the encryptedpseudonym private key to the registration server.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to thepseudonym credential generation server of the foregoing methodembodiment. The implementation principles and technical effects aresimilar, and are not further described herein.

FIG. 13 is a fourth schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication. Referring to FIG. 13 , based on FIG. 12 , the pseudonymcredential configuration apparatus further includes an obtaining module44.

The receiving module 41 is further configured to receive a targetpseudonym credential sent by a behavior investigation server.

The obtaining module 44 is configured to obtain a target tag in thetarget pseudonym credential.

The sending module 43 is further configured to send the target tag tothe behavior investigation server.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to thepseudonym credential generation server of the foregoing methodembodiment. The implementation principles and technical effects aresimilar, and are not further described herein.

FIG. 14 is a fifth schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication. Referring to FIG. 14 , the apparatus in this embodimentincludes a receiving module 51 and a sending module 52.

The receiving module 51 is configured to receive a report message from afirst terminal device. The report message includes a pseudonymcredential of a second terminal device.

The sending module 52 is configured to send the pseudonym credential toa pseudonym credential generation server, so that the pseudonymcredential generation server obtains a target tag included in thepseudonym credential. The target tag is a tag corresponding to a requestmessage sent by a registration server to the pseudonym credentialgeneration server. The request message instructs the pseudonymcredential generation server to generate the pseudonym credential.

The receiving module 51 is further configured to receive the target tagfrom the pseudonym credential generation server.

The sending module 52 is further configured to send the target tag tothe registration server, so that the registration server obtains anidentifier that is of the second terminal device and that is associatedwith the target tag.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to thepseudonym credential generation server of the foregoing methodembodiment. The implementation principles and technical effects aresimilar, and are not further described herein.

FIG. 15 is a sixth schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication. Referring to FIG. 15 , based on FIG. 14 , the apparatus inthis embodiment further includes a generation module 53 and a revocationmodule 54.

The receiving module 51 is further configured to receive, from theregistration server, a first target hash value corresponding to theidentifier of the second terminal device and a first random number, anda second target hash value corresponding to the identifier of the secondterminal device and a second random number.

The sending module 52 is further configured to send the first targethash value to a first linkage value server, and send the second targethash value to a second linkage value server.

The receiving module 51 is further configured to receive a first targetvalue set associated with the first target hash value from the firstlinkage value server, and receive a second target value set associatedwith a target hash value from the second linkage value server. The firsttarget value set includes one of N first seed values, a first nativeseed value, and N first pre-linkage values. The second target value setincludes one of N second seed values, a second native seed value, and Nsecond pre-linkage values.

The generation module 53 is configured to generate N linkage valuesbased on the first target value set and the second target value set.

For each linkage value, the revocation module 54 is configured to revokea pseudonym credential that includes the linkage value.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to the behaviorinvestigation server of the foregoing method embodiment. Theimplementation principles and technical effects are similar, and are notfurther described herein.

In a possible design, if the first target value set includes a firstnative seed value, the second target value set includes a second nativeseed value. The generation module 53 is specifically configured to:

generate N−1 first seed values based on the first native seed value, andgenerate N first pre-linkage values based on the first native seed valueand the N−1 first seed values;

generate N−1 second seed values based on the second native seed value,and generate N second pre-linkage values based on the second native seedvalue and the N−1 second seed values; and

for each of N groups of pre-linkage values, perform an exclusive ORoperation on a first pre-linkage value and a second pre-linkage valuethat are included in the group to obtain a linkage value. Each group ofpre-linkage values includes one first pre-linkage value and one secondpre-linkage value.

In a possible design, the first target value set includes N firstpre-linkage values, and the second target value set includes N secondpre-linkage values. The generation module 53 is specifically configuredto:

for each of N groups of pre-linkage values, perform an exclusive ORoperation on a first pre-linkage value and a second pre-linkage value inthe group to obtain a linkage value.

In a possible design, the first target value set includes N first seedvalues, and the second target value set includes N second seed values.The generation module 53 is specifically configured to:

generate N first pre-linkage values based on the N first seed values;

generate N second pre-linkage values based on the N second seed values;and

for each of N groups of pre-linkage values, perform an exclusive ORoperation on a first pre-linkage value and a second pre-linkage valuethat are included in the group to obtain a linkage value. Each group ofpre-linkage values includes one first pre-linkage value and one secondpre-linkage value.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to the behaviorinvestigation server of the foregoing method embodiment. Theimplementation principles and technical effects are similar, and are notfurther described herein.

FIG. 16 is a seventh schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication. Referring to FIG. 16 , the apparatus in this embodimentincludes a receiving module 61, a generation module 62, and a sendingmodule 63.

The receiving module 61 is configured to receive a request message fromthe registration server. The request message includes indicationinformation instructing the pseudonym credential configuration apparatusto generate N pre-linkage values.

The generation module 62 is configured to generate N pre-linkage values.

The sending module 63 is configured to send a feedback message to theregistration server. The feedback message includes the N pre-linkagevalues.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to thepseudonym credential configuration apparatus of the foregoing methodembodiment. The implementation principles and technical effects aresimilar, and are not further described herein.

In a possible design, the generation module 62 is specificallyconfigured to:

generate N seed values, where the N seed values include one native seedvalue; and

generate N pre-linkage values based on the N seed values.

In a possible design, the i^(th) seed value is a hash value of an(i−1)^(th) seed value, i=2, 3, . . . , N, and the native seed value is afirst seed value.

In a possible design, the m^(th) pre-linkage value is a part of them^(th) seed value.

Alternatively, the m^(th) pre-linkage value is a hash value of them^(th) seed value.

m=1, 2, . . . , N.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to the linkagevalue server of the foregoing method embodiment. The implementationprinciples and technical effects are similar, and are not furtherdescribed herein.

FIG. 17 is an eighth schematic structural diagram of a pseudonymcredential configuration apparatus according to an embodiment of thisapplication. Referring to FIG. 17 , based on FIG. 16 , the apparatus inthis embodiment further includes a storage module 64 and an obtainingmodule 65.

The request message further includes a hash value. The hash value is ahash value corresponding to an identifier of a terminal device thatrequests a pseudonym credential and a random number. The storage module64 is configured to store a first target value set in association withthe hash value, so that the pseudonym credential configuration apparatuscan obtain the first target value based on the hash value. The firsttarget value set is one of the native seed value, the N pre-linkagevalues, and the N seed values.

The receiving module 61 is further configured to receive a target hashvalue from a behavior investigation server. The target hash value is ahash value corresponding to a target identifier of a target terminaldevice and a target random number.

The obtaining module 65 is configured to obtain a second target valueset associated with the target hash value. The second target value setincludes one of the N seed values, the native seed value, and the Npre-linkage values.

The sending module 63 is further configured to send the second targetvalue set to the behavior investigation server.

The pseudonym credential configuration apparatus in this embodiment maybe used to execute the technical solutions corresponding to the linkagevalue server of the foregoing method embodiment. The implementationprinciples and technical effects are similar, and are not furtherdescribed herein.

An embodiment of this application provides a computer readable storagemedium. The computer readable storage medium stores a computer program.When the computer program is executed by a processor, the methodcorresponding to the registration server in the foregoing methodembodiments is performed.

An embodiment of this application provides a registration server,including a processor and a memory.

The memory is configured to store a program.

The processor is configured to execute the program stored in the memory.When the program is executed, the processor is configured to perform themethod corresponding to the registration server in the foregoing methodembodiments.

An embodiment of this application provides a computer readable storagemedium. The computer readable storage medium stores a computer program.When the computer program is executed by a processor, the methodcorresponding to the pseudonym credential generation server in theforegoing method embodiments is performed.

An embodiment of this application provides a pseudonym credentialgeneration server, including a processor and a memory.

The memory is configured to store a program.

The processor is configured to execute the program stored in the memory.When the program is executed, the processor is configured to perform themethod corresponding to the pseudonym credential generation server inthe foregoing method embodiments.

An embodiment of this application provides a computer readable storagemedium. The computer readable storage medium stores a computer program.When the computer program is executed by a processor, the methodcorresponding to the pseudonym credential generation server in theforegoing method embodiment is performed.

An embodiment of this application provides a behavior linkage valueserver, including a processor and a memory.

The memory is configured to store a program.

The processor is configured to execute the program stored in the memory.When the program is executed, the processor is configured to perform themethod corresponding to the linkage value server in the foregoing methodembodiments.

An embodiment of this application provides a computer readable storagemedium. The computer readable storage medium stores a computer program.When the computer program is executed by a processor, the methodcorresponding to the behavior investigation server in the foregoingmethod embodiment is performed.

An embodiment of this application provides a behavior investigationserver, including a processor and a memory.

The memory is configured to store a program.

The processor is configured to execute the program stored in the memory.When the program is executed, the processor is configured to perform themethod corresponding to the behavior investigation server in theforegoing method embodiments.

The foregoing descriptions are merely specific implementations of thepresent invention, but are not intended to limit the protection scope ofthe present invention. Any variation or replacement readily figured outby a person skilled in the art within the technical scope disclosed inthe present invention shall fall within the protection scope of thepresent invention. Therefore, the protection scope of the presentinvention shall be subject to the protection scope of the claims.

What is claimed is:
 1. A pseudonym credential configuration methodcomprising: receiving, by a registration server, a first request messagefrom a terminal device, wherein the first request message comprises anidentifier of the terminal device and information about Nto-be-requested pseudonym credentials, and N is a positive integer;sending, by the registration server, N second request messages to apseudonym credential generation server, wherein each second requestmessage instructs the pseudonym credential generation server to generatea pseudonym credential, and the pseudonym credential comprises a tag ofthe corresponding second request message and at least a part ofinformation about one to-be-requested pseudonym credential comprised inthe corresponding second request message; storing, by the registrationserver, the tag of each second request message in association with theidentifier of the terminal device in the registration server, so thatthe registration server is enabled to obtain, based on the tag, theidentifier that is of the terminal device and that is associated withthe tag; and receiving, by the registration server, N pseudonymcredentials from the pseudonym credential generation server, and sendingthe N pseudonym credentials to the terminal device, wherein beforesending the N second request messages to the pseudonym credentialgeneration server, the method further comprises: determining, by theregistration server, a type of the first request message, wherein thetype is a pseudonym certificate request message or a pseudonym identityrequest message; and in response to the type being a pseudonymcertificate request message, the sending the N second request messagesto the pseudonym credential generation server further comprises sending,by the registration server, the N second request messages to a pseudonymcertificate generation server; or in response to the type being apseudonym identity request message, the sending the N second requestmessages to the pseudonym credential generation server comprisessending, by the registration server, the N second request messages to apseudonym identity generation server.
 2. The method according to claim1, wherein the first request message further comprises first indicationinformation indicating a type of the first request message; and whereinthe determining the type of the first request message comprises:determining, by the registration server, the type of the first requestmessage based on the first indication information.
 3. The methodaccording to claim 1, wherein before sending the N second requestmessages to the pseudonym credential generation server, the methodfurther comprises: sending, by the registration server, a third requestmessage to a first linkage value server, and sending a fourth requestmessage to a second linkage value server, wherein the third requestmessage comprises indication information instructing the first linkagevalue server to generate N first pre-linkage values, and the fourthrequest message comprises indication information instructing the secondlinkage value server to generate N second pre-linkage values; andreceiving, by the registration server, N first pre-linkage values fromthe first linkage value server, and receiving the N second pre-linkagevalues from the second linkage value server, wherein each pseudonymcredential further comprises a linkage value, wherein the linkage valueis obtained by the pseudonym credential generation server based on afirst pre-linkage value and a second pre-linkage value comprised in acorresponding second request message.
 4. The method according to claim3, wherein the third request message further comprises a first hashvalue, wherein the first hash value is a hash value corresponding to theidentifier of the terminal device and a first random number; the fourthrequest message further comprises a second hash value, wherein thesecond hash value is a hash value corresponding to the identifier of theterminal device and a second random number; and the method furthercomprises: storing, by the registration server, the identifier of theterminal device in association with the first hash value and the secondhash value, so that the registration server is enabled to obtain thefirst hash value and the second hash value based on the identifier ofthe terminal device.
 5. The method according to claim 3, wherein thefirst pre-linkage value is a linkage value encrypted by using a publickey of the pseudonym credential generation server, and the secondpre-linkage value is a linkage value encrypted by using the public keyof the pseudonym credential generation server.
 6. The method accordingto claim 1, wherein the information about the one to-be-requestedpseudonym credential is information obtained after actual information ofthe one to-be-requested pseudonym credential is encrypted by using apublic key of the pseudonym credential generation server; and the atleast the part of the information about the one to-be-requestedpseudonym credential comprised in the pseudonym credential is at least apart of the actual information of the one to-be-requested pseudonymcredential, wherein: in response to the pseudonym credential being apseudonym certificate, the at least the part of the actual informationof the one to-be-requested pseudonym credential comprises a pseudonymcertificate public key; or in response to the pseudonym credential beinga pseudonym identity, the at least the part of the actual information ofthe one to-be-requested pseudonym credential comprises a pseudonymidentifier.
 7. The method according to claim 6, wherein in response tothe pseudonym credential being a pseudonym identity, the method furthercomprises: receiving, by the registration server from the pseudonymcredential generation server, N pseudonym private keys corresponding toN pseudonym identifiers in N pseudonym identities.
 8. The methodaccording to claim 4, further comprising: receiving, by the registrationserver, a target tag from a behavior investigation server; anddetermining, by the registration server, a target identifier associatedwith the target tag, wherein the target identifier indicates a targetterminal device.
 9. The method according to claim 8, wherein afterreceiving the target tag from the behavior investigation server, themethod further comprises: sending a first target hash value and a secondtarget hash value that are associated with the target identifier to thebehavior investigation server, wherein the first target hash value is ahash value corresponding to the target identifier and a third randomnumber, and the second target hash value is a hash value correspondingto the target identifier and a fourth random number.
 10. A pseudonymcredential configuration apparatus comprising: a receiver, configured tocooperate with a processor to receive a first request message from aterminal device, wherein the first request message comprises anidentifier of the terminal device and information about Nto-be-requested pseudonym credentials, and N is a positive integer; atransmitter, configured to cooperate with the processor to send N secondrequest messages to a pseudonym credential generation server, whereineach second request message instructs the pseudonym credentialgeneration server to generate a pseudonym credential, and the pseudonymcredential comprises a tag of the corresponding second request messageand at least a part of information about one to-be-requested pseudonymcredential comprised in the corresponding second request message; and amemory coupled to the processor, configured to store the tag of eachsecond request message in association with the identifier of theterminal device in a registration server, so that the registrationserver is enabled to obtain, based on the tag, the identifier that is ofthe terminal device and that is associated with the tag, wherein thereceiver is further configured to cooperate with the processor toreceive N pseudonym credentials from the pseudonym credential generationserver, and send the N pseudonym credentials to the terminal device,wherein the processor is configured to determine a type of the firstrequest message before the transmitter sends the N second requestmessages to the pseudonym credential generation server, wherein the typeis a pseudonym certificate request message or a pseudonym identityrequest message; and in response to the type being a pseudonymcertificate request message, the transmitter sends the N second requestmessages to a pseudonym certificate generation server, or in response tothe type being a pseudonym identity request message, the transmittersends the N second request messages to a pseudonym identity generationserver.
 11. The apparatus according to claim 10, wherein the transmitteris further configured to cooperate with the processor to: before sendingthe N second request messages to the pseudonym credential generationserver, send a third request message to a first linkage value server,and send a fourth request message to a second linkage value server,wherein the third request message comprises indication informationinstructing the first linkage value server to generate N firstpre-linkage values, and the fourth request message comprises indicationinformation instructing the second linkage value server to generate Nsecond pre-linkage values; and the receiver is further configured tocooperate with the processor to: receive N first pre-linkage values fromthe first linkage value server, and receive the N second pre-linkagevalues from the second linkage value server, wherein each pseudonymcredential further comprises a linkage value, wherein the linkage valueis obtained by the pseudonym credential generation server based on afirst pre-linkage value and a second pre-linkage value comprised in acorresponding second request message.
 12. The apparatus according toclaim 11, wherein the third request message further comprises a firsthash value, wherein the first hash value is a hash value correspondingto the identifier of the terminal device and a first random number; andthe fourth request message further comprises a second hash value,wherein the second hash value is a hash value corresponding to theidentifier of the terminal device and a second random number; and thepseudonym credential configuration apparatus further comprises: thememory is further configured to store the identifier of the terminaldevice in association with the first hash value and the second hashvalue, so that the registration server is enabled to obtain the firsthash value and the second hash value based on the identifier of theterminal device.
 13. The apparatus according to claim 12, wherein: thereceiver is configured to receive a target tag from a behaviorinvestigation server; the processor is configured to determine a targetidentifier associated with the target tag, wherein the target identifierindicates a target terminal device; and the transmitter is furtherconfigured to send a first target hash value and a second target hashvalue that are associated with the target identifier to the behaviorinvestigation server, wherein the first target hash value is a hashvalue corresponding to the target identifier and a third random number,and the second target hash value is a hash value corresponding to thetarget identifier and a fourth random number.
 14. A non-transitorycomputer readable storage medium storing a computer program, which whenexecuted by a processor, cause the processor to perform operationsincluding: receiving a first request message from a terminal device,wherein the first request message comprises an identifier of theterminal device and information about N to-be-requested pseudonymcredentials, and N is a positive integer; sending N second requestmessages to a pseudonym credential generation server, wherein eachsecond request message instructs the pseudonym credential generationserver to generate a pseudonym credential, and the pseudonym credentialcomprises a tag of the corresponding second request message and at leasta part of information about one to-be-requested pseudonym credentialcomprised in the corresponding second request message; storing the tagof each second request message in association with the identifier of theterminal device in a registration server, so that the registrationserver is enabled to obtain, based on the tag, the identifier that is ofthe first terminal device and that is associated with the tag; andreceiving N pseudonym credentials from the pseudonym credentialgeneration server, and sending the N pseudonym credentials to theterminal device, wherein before sending the N second request messages tothe pseudonym credential generation server: determining a type of thefirst request message, wherein the type is a pseudonym certificaterequest message or a pseudonym identity request message; and in responseto the type being a pseudonym certificate request message, the sendingthe N second request messages to the pseudonym credential generationserver further comprises sending the N second request messages to apseudonym certificate generation server; or in response to the typebeing a pseudonym identity request message, the sending, the N secondrequest messages to the pseudonym credential generation server comprisessending the N second request messages to a pseudonym identity generationserver.
 15. A registration server comprising a processor and a memory,wherein: the memory is configured to store a program; and the processorwhich is coupled to the memory is configured to execute the programstored in the memory, and when the program is executed, the processor isconfigured to perform: receiving a first request message from a terminaldevice, wherein the first request message comprises an identifier of theterminal device and information about N to-be-requested pseudonymcredentials, and N is a positive integer; sending N second requestmessages to a pseudonym credential generation server, wherein eachsecond request message instructs the pseudonym credential generationserver to generate a pseudonym credential, and the pseudonym credentialcomprises a tag of the corresponding second request message and at leasta part of information about one to-be-requested pseudonym credentialcomprised in the corresponding second request message; storing the tagof each second request message in association with the identifier of theterminal device in the registration server, so that the registrationserver is enabled to obtain, based on the tag, the identifier that is ofthe terminal device and that is associated with the tag; and receiving Npseudonym credentials from the pseudonym credential generation server,and sending the N pseudonym credentials to the terminal device, whereinbefore sending the N second request messages to the pseudonym credentialgeneration server, the processor is configured to perform: determining,by the registration server, a type of the first request message, whereinthe type is a pseudonym certificate request message or a pseudonymidentity request message; and in response to the type being a pseudonymcertificate request message, the sending the N second request messagesto the pseudonym credential generation server further comprises sending,by the registration server, the N second request messages to a pseudonymcertificate generation server; or in response to the type being apseudonym identity request message, the sending, the N second requestmessages to the pseudonym credential generation server comprisessending, by the registration server, the N second request messages to apseudonym identity generation server.
 16. The registration serveraccording to claim 15, wherein the first request message furthercomprises first indication information indicating a type of the firstrequest message; and wherein the processor determining the type of thefirst request message comprises: the processor determining the type ofthe first request message based on the first indication information.